Hackers compromised 4 SAP npm packages, exposing crypto wallets and cloud keys for 572k weekly users. Check your build logs for the April 29, 2026, breach.
A sophisticated supply chain attack has compromised four npm packages associated with SAP’s Cloud Application Programming (CAP) model, creating a direct pipeline for attackers to siphon crypto wallets, cloud credentials, and SSH keys from developer environments. The breach, which impacts packages seeing approximately 572,000 weekly downloads, represents a shift in tactics from traditional typosquatting to the direct injection of malicious code into legitimate, widely used software components.
The attack vector involves the modification of existing tarballs after their initial release. While the original SAP source code remains present, attackers appended three additional files to the packages, timestamped hours after the legitimate code was published. This indicates a breach of the distribution pipeline rather than a simple malicious upload. The loader script, which is byte-identical across all four compromised packages, initiates a process that downloads and executes a Bun runtime binary from GitHub. This binary then triggers an obfuscated 11.7MB JavaScript payload designed to harvest sensitive data.
Security researchers have identified the specific affected versions as @cap-js/core@7.9.3, @cap-js/sqlite@1.7.3, @sap/cds@8.1.1, and @sap/cds-dk@8.1.1. The payload is highly targeted, utilizing a check against 25 platform variables—including GitHub Actions, CircleCI, and Jenkins—to distinguish between CI/CD environments and individual developer workstations. If the system is identified as a developer machine, the malware scans for over 80 types of credential files. This includes AWS, Azure, and Kubernetes configurations, Docker tokens, and crypto wallets across eleven different platforms. The inclusion of AI tool configuration files, such as those for Claude and Kiro MCP, underscores the attackers' intent to capture modern development secrets.
The technical footprint of this campaign, which researchers have dubbed "mini-shai-hulud" and attributed to a group known as "TeamPCP," shows significant overlap with previous malicious activity. The payload employs a two-layer encryption scheme using a __decodeScrambled() function. The specific use of PBKDF2 with 200,000 SHA-256 iterations and the salt "ctf-scramble-v2" matches payloads previously linked to Checkmarx and Bitwarden campaigns. This suggests that the attackers are leveraging a standardized toolkit for credential exfiltration, allowing them to scale their operations across different software ecosystems.
This event highlights the systemic risk inherent in modern CI/CD pipelines. Unlike previous attacks that relied on developers accidentally downloading a fake package with a similar name, this campaign compromised the actual SAP namespace. For SAP stock page, which currently carries an Alpha Score of 40/100, the incident underscores the vulnerability of enterprise-grade software supply chains to automated injection. The exposure window, which centered on April 29, 2026, necessitates a rigorous audit of build environments for any organization utilizing SAP CAP or MTA-based deployment pipelines.
Organizations must prioritize checking dependency trees and lockfiles for the specific compromised versions listed above. Furthermore, security teams should review CI/CD logs for unauthorized network requests or binary executions that occurred during the exposure window. Because the malware specifically targets crypto wallets and cloud infrastructure credentials, the scope of potential damage extends far beyond the SAP ecosystem. Any developer who installed these packages must assume that all credentials present in their build environment—including private keys and cloud access tokens—have been compromised and should be rotated immediately.
The "mini-shai-hulud" campaign is the latest in a series of targeted attacks on developer tools. In March 2026, researchers identified five typosquatted npm packages that targeted Solana and Ethereum developers, while the "PromptMink" campaign in April 2026 utilized AI-generated commits to insert malicious code into crypto trading projects. These incidents demonstrate that state-sponsored and organized criminal groups are increasingly focusing on the software supply chain as a primary entry point for crypto market analysis and financial theft. As these attacks become more automated and harder to detect, the reliance on automated dependency management requires a corresponding increase in security scrutiny for every package update, regardless of its source or reputation.
AI-drafted from named sources and checked against AlphaScala publishing rules before release. Direct quotes must match source text, low-information tables are removed, and thinner or higher-risk stories can be held for manual review.