TL;DR

A Mini Shai-Hulud variant targeting the SAP ecosystem compromised mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite, and related packages starting in April 2026. The payload harvests local dev creds, GitHub/npm tokens, GitHub Actions secrets, and cloud credentials for AWS, Azure, GCP, and Kubernetes.

What happened

A targeted credential-stealing payload was injected into SAP-related npm packages. Unlike the worm versions of Shai-Hulud, this campaign focused on enterprise developer machines and CI runners where SAP CAP (Cloud Application Programming) tooling is common.

The malware specifically enumerates: - ~/.npmrc, ~/.yarnrc, ~/.config/configstore/ - ~/.aws/credentials, ~/.aws/config - ~/.azure/, ~/.config/gcloud/ - ~/.kube/config - GitHub Actions secrets via $GITHUB_TOKEN if running in CI - Environment variables matching *TOKEN*, *KEY*, *SECRET*, *PASSWORD*

Am I affected?

# Affected package families
npm ls --all 2>/dev/null | grep -E '(@cap-js/|^mbt|@sap/cds)'

If you've installed or upgraded any of these in April or May 2026, assume credential theft.

If you are affected

playbooks/if-you-installed-a-bad-npm-package.mdplaybooks/rotating-cloud-credentials.md — all of AWS, Azure, GCP, Kubernetes → playbooks/if-your-github-pat-leaked.md

Prevention

prevention/npm-hardening.mdprevention/credential-hygiene.md — use short-lived creds, OIDC, 1Password CLI

Sources