'Mini Shai-Hulud' supply chain attack targets SAP npm packages

On April 29, 2026, security researchers detailed a campaign known as ‘mini Shai-Hulud’ that involves compromised versions of npm packages used in SAP’s Cloud Application Programming Model (CAP). The malicious packages reportedly contain functionality to steal sensitive data such as credentials. The stolen data is encrypted and exfiltrated via public GitHub repositories.

The maintainers of known-compromised packages have released updated versions.

Recommended actions

Counter Threat Unit™ (CTU) researchers recommend that organizations investigate if compromised versions were installed in their environment. Organizations should also review GitHub, npm, and cloud activity associated with any potentially exposed credentials and rotate secrets that may have been accessible.

Sophos protections

The following Sophos protections relate to this threat:

JS/Agent-BMAH
JS/Steal-EAT

About the author

Sophos Counter Threat Unit Research Team

Sophos Counter Threat Unit™ (CTU) researchers are recognized authorities in the cybersecurity field, regularly contributing expert analysis to global media, publishing technical analyses for the security community, and presenting about emerging threats at leading security conferences. Backed by Sophos’ advanced security technologies and a broad network of intelligence contacts and partners, the CTU™ plays a critical role in identifying and tracking threat actors and analyzing anomalous activity, uncovering new attack techniques, threats, and major shifts in the threat landscape.