← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer
WHITE PetrP.73 2026-04-30 Modified: 2026-05-30
29
IOCs
MEDIUM VOLUME
A supply-chain compromise has emerged, specifically targeting the SAP developer ecosystem via manipulated npm packages. The attack leverages a new preinstall hook in a trusted package, which leads to the execution of a setup.mjs file that downloads and utilizes the Bun JavaScript runtime. The core of the threat lies within an obfuscated payload named execution.js, approximately 11.7 MB in size, functioning as a credential stealer and framework for propagating the attack.
githubgithub actionsazurekuberneteskey vaultmini shaihuludaikido useraikidosap developerbun javascriptaprilexfiltrationthreatspypi
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (2 / 29 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 35baf8316645372eea40b91d48acb067 MD5 of 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 2026-04-30
FileHash-MD5 35baf8316645372eea40b91d48acb067 MD5 of 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 2026-04-30
References (2)
↗ https://www.aikido.dev/blog/mini-shai-hulud-has-appeared ↗ https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared