Collectively, four compromised SAP-related npm packages receive about 572,000 weekly downloads — and attackers published poisoned releases in a narrow window on April 29 between 09:55 and 12:14 UTC.
SAP npm packages hit on April 29
On April 29, attackers published malicious releases of four official npm packages associated with SAP's JavaScript and cloud application development ecosystem. The affected packages and versions named in reporting are mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. Collectively, those four packages receive approximately 572,000 weekly downloads and are widely used by developers building cloud applications.
According to the reporting, the compromised packages contain malicious preinstall scripts that execute automatically on every npm install — running attacker-controlled code before any application code runs.
How the Mini Shai-Hulud attack operates
Security firm Wiz described the campaign as deploying a "multi-stage payload" with specific objectives: steal developer secrets, self-propagate, encrypt the stolen material, and exfiltrate the encrypted data into new GitHub repositories created under the victim's own account. Wiz warned that "The second-stage payload is a credential stealer and propagation framework designed to target both developer environments and CI/CD pipelines." The firm added that it "collects sensitive data including GitHub tokens, npm credentials, cloud secrets (AWS, Azure, GCP), Kubernetes tokens, and GitHub Actions secrets – leveraging advanced techniques such as extracting secrets from runner memory."
Wiz further reported that exfiltration "occurs via public GitHub repositories, where it posts encrypted payloads," and that the malware "includes propagation logic to infect additional repositories and package distributions." The campaign is being called the "Mini Shai-Hulud worm" because of similarities to an earlier self-propagating Shai-Hulud malware that targeted npm packages.
Intercom npm and PyPI lightning show the same fingerprints
On Thursday, additional compromises surfaced beyond the SAP ecosystem. Security firms Wiz and Socket reported that the intercom-client npm package had been poisoned; Wiz flagged intercom-client@7.0.5 while Socket described intercom-client@7.0.4. Intercom's official SDK sees about 360,000 weekly downloads and npm lists more than 100 dependent projects. Socket cautioned that the real exposure likely extends beyond direct dependents because the package is commonly installed in backend services, developer environments, and CI/CD pipelines that integrate with Intercom's API.
Also on Thursday, PyPI package lightning versions 2.6.2 and 2.6.3 were poisoned to execute credential-stealing malware on import. Reporting describes Lightning as a deep learning framework that developers download "hundreds of thousands of times every day." Socket noted that "The obfuscated JavaScript payload contains many similarities to the Shai-Hulud attacks, overlapping in targeted tokens, credentials and obfuscation methods," and added that it "identified signs that router_runtime.js both poisons GitHub repositories and infects developer npm packages."
Wiz and Socket say the Intercom and lightning attacks appear to contain the same malicious code seen in the SAP operation.
Attribution: TeamPCP linked to a string of recent supply-chain hits
Both Wiz and Socket attributed the SAP compromise to a cybercrime group they identify as TeamPCP. The reporting links TeamPCP to earlier supply-chain infections that affected Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy.
Attackers reportedly infected all versions of the affected packages with the same credential-stealing malware, and the Thursday compromises on Intercom and lightning “appear to contain the same malicious code” as the SAP operation, according to the security shops.
What developers, CI/CD teams, and vendors should watch
- Developers and CI/CD teams: The malicious code uses npm preinstall scripts and, in the case of PyPI lightning, executes on import — meaning infections can occur during routine installs and automated pipeline runs. Wiz explicitly highlights the campaign's focus on extracting secrets from runner memory and GitHub Actions, pointing to direct risk for build systems and pipelines.
- SAP, Intercom, and Lightning users (customers and partners): SAP provided this statement: "A security note is published and available for SAP customers and partners." The note is reportedly accessible only to logged-in customers. Neither Intercom nor Lightning responded to The Register's requests for comment at the time of reporting.
- Security teams and incident responders: The campaign's combination of credential theft, encryption of stolen data, and exfiltration to public GitHub repositories under victims' accounts creates an investigative trail that spans package ecosystems, source code hosting, and CI/CD logs — all of which defenders will need to review.
The campaign described in reporting underscores a persistent pattern: attacker-controlled code arriving inside widely used developer tools, executed automatically in developer environments and pipelines, and designed to both harvest secrets and self-propagate. With poisoned packages spanning npm and PyPI and exfiltration routed through victims' GitHub repositories, the immediate questions are blunt and operational: how many downstream projects and CI runners have been touched, and which secrets have already been posted or misused? The firms tracking this activity say they will update their findings as new information emerges; The Register said it would update its story when the compromised organizations respond.
