"The campaign — calling itself the mini Shai-Hulud — has affected the following packages associated with SAP's JavaScript and cloud application," cybersecurity researchers report.
mini Shai-Hulud: a named supply-chain campaign
Security researchers have identified a supply-chain attack campaign that is self-styled as "mini Shai-Hulud." According to multiple reports, the campaign specifically targets SAP-related npm packages and delivers credential‑stealing malware. The characterization and the name of the campaign appear in reporting from several independent security teams.
Target: SAP-related npm packages for JavaScript and cloud application
The affected software, as described by the researchers, comprises npm packages associated with SAP's JavaScript and cloud application. Public advisories and reports state the campaign has impacted those SAP-related packages, though the synopsis available to this report does not enumerate package names or provide a detailed list in the source material.
Payload described: credential-stealing malware
All sources agree on one technical detail reported: the malicious code delivered through the compromised packages functions as credential‑stealing malware. Reporters describe the primary objective of the injected code as harvesting credentials, a capability explicitly named in the available advisories.
Multiple security teams raising the alarm
The campaign has been documented and publicized by a cluster of cybersecurity organizations. Reports come from Aikido Security, SafeDep, Socket, StepSecurity, and Google‑owned Wiz. Those organizations have published findings that collectively describe the same campaign, its self-chosen label, and its focus on SAP‑linked npm packages.
How security teams, SAP customers, and open-source maintainers are likely to respond
- Security teams and detection vendors: Given the reporting by Aikido Security, SafeDep, Socket, StepSecurity, and Wiz, these teams will be watching the SAP‑related npm ecosystem for indicators tied to the self‑named mini Shai‑Hulud campaign and for signs of credential theft in environments that consume those packages.
- SAP customers and cloud-application users: Organizations that depend on SAP's JavaScript and cloud application packages will be prompted to review their usage of npm dependencies tied to SAP and to follow future disclosures from the reporting teams for specifics about affected packages.
- Open-source maintainers and package owners: Maintainers of npm packages associated with SAP technologies will likely need to confirm package integrity and coordinate with the reporting organizations to clarify whether packages they host were altered or maliciously published.
The available reporting establishes that a coordinated alert has been issued: multiple security organizations have observed a campaign named "mini Shai‑Hulud" that compromises SAP‑related npm packages to deploy credential‑stealing malware. What remains to be detailed in subsequent disclosures are the exact package names, the scale of distribution, and the indicators of compromise; the researchers named above are the public sources for those next steps. For organizations that use SAP's JavaScript and cloud‑related npm packages, the immediate signal from the record is clear — researchers are sounding the alarm and further technical detail from those reporting teams will determine remediation priorities.




