Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
A new Mini Shai-Hulud supply-chain campaign is targeting SAP-related npm packages, putting developer and CI/CD environments at risk of credential theft and malicious package propagation. The poisoned releases published on April 29, 2026 used a preinstall flow to bootstrap Bun, execute malware, and exfiltrate secrets. The operation matters because it can spread through trusted package and workflow paths while stealing GitHub/npm tokens and cloud secrets.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Laravel Lang organization hit by network compromise
Incident
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentAbout this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Timeline
-
12.05.2026 11:50 1 articles · 15d ago
Mini Shai-Hulud spreads to TanStack and PyPI packages
Campaign Scope UpdateMini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
Show sources
- Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages — thehackernews.com — 12.05.2026 11:50
-
29.04.2026 19:26 1 articles · 28d ago
Mini Shai-Hulud publishes malicious SAP-related npm packages
Exploitation ObservedThe Mini Shai-Hulud campaign published poisoned releases for [email protected], @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected], adding a package.json preinstall hook that loads setup.mjs, downloads a platform-specific Bun ZIP from GitHub Releases, and runs execution.js to steal credentials and propagate through developer and release workflows.
Show sources
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack — thehackernews.com — 29.04.2026 19:26
-
29.04.2026 19:26 1 articles · 28d ago
Researchers analyze Mini Shai-Hulud credential theft and persistence
Technical Analysis UpdateResearchers from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Wiz described Mini Shai-Hulud as a supply-chain campaign affecting SAP's JavaScript and cloud application development ecosystem, noted that the malware harvests local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes, and said the payload exfiltrates data to victim-owned GitHub repositories while injecting .claude/settings.json and .vscode/tasks.json for persistence. Wiz also said the packages share features with prior TeamPCP operations and use a TeamPCP-linked shared RSA public key.
Show sources
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack — thehackernews.com — 29.04.2026 19:26