TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack

СLOUD SECURITY APPLICATION SECURITY CYBER RISK THREAT INTELLIGENCE NEWS TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack Several npm packages for SAP's cloud application development ecosystem have been compromised as TeamPCP's supply chain attacks broaden. Rob Wright,Senior News Director,Dark Reading April 30, 2026 6 Min Read SOURCE: NATURE PICTURE LIBRARY VIA ALAMY STOCK PHOTO UPDATE TeamPCP's extensive supply chain campaign continued this week, as the cybercriminal group compromised several SAP npm packages in a "Mini Shai Hulud" attack. The compromised packages went live Wednesday and were quickly spotted by several cybersecurity vendors, including Wiz, Socket, and Aikido Security. Four npm packages for SAP's Cloud Application Programming Model (CAP) and Cloud MTA Build Tool (MBT) were injected with malicious preinstall scripts that execute once the dependency is installed. "The campaign leverages a multistage payload to harvest developer and CI/CD secrets across GitHub, npm, and major cloud providers, and exfiltrates the data via attacker-controlled GitHub repositories," Wiz researchers said in a blog post. "It also contains code designed to propagate via compromised tokens." The malware contains hard-coded descriptions for the attacker-controlled repositories: "A Mini Shai-Hulud has Appeared" is an apparent reference to the Shai-hulud worm attacks that have targeted npm packages since September 2025.  Related:If AI's So Smart, Why Does It Keep Deleting Production Databases? Wiz and Socket researchers attributed the SAP attacks to TeamPCP based on technical overlaps and operational similarities to the emerging cybercrime group's previous campaigns. TeamPCP has in recent months compromised the packages of several open source software projects, including Trivy, a security scanner maintained by Aqua Security, and KICS, a Checkmarx-developed tool for static code analysis.  The targeting of SAP packages puts a different spin on TeamPCP attacks and potentially heightens the risk for enterprises, according to experts. Loading... Mini Shai-Hulud Raises Stakes Socket's research team noted in a blog post that the four npm packages have "meaningful reach across the SAP developer ecosystem," with hundreds of thousands of downloads per week. Llike previous TeamPCP attacks, the payloads collected GitHub, npm, Kubernetes, CI/CD, and cloud credentials, which are then used to compromise additional repositories and packages and even breach downstream customer organizations. The poisoned packages include @cap-js/sqlite – v2.2.2; @cap-js/postgres – v2.2.2; @cap-js/db-service – v2.10.1; and mbt – v1.2.48. The CAP packages are connected to SAP cloud deployment workflows, while the MBT package is used to build deployment-ready, multi-target application (MTA) archive files. In a statement to Dark Reading, Socket said it didn’t have a reliable download count of the malicious packages, noting that npm download data can lag and is not always version-specific in real time. "The affected SAP packages have more than half a million aggregate weekly downloads, which makes this a serious exposure concern for the SAP developer ecosystem," the company said. Related:UNC6692 Combines Social Engineering, Malware, Cloud Abuse The poisoned packages were taken down soon after they were published. Dark Reading contacted SAP for comment on the attacks, and the company responded on Friday with the following statement: "A security note https://me.sap.com/notes/3747787 is published and available for SAP customers and partners."  With the targeting of a small number of high-value enterprise software packages, the Mini Shai-Hulud campaign stands out compared to previous supply chain attacks. "Instead of spreading across many random packages, this one hit SAP, where a successful install could run on developer machines or CI jobs with access to GitHub, npm, cloud, and deployment secrets," Raphael Silva, researcher at Aikido Security, tells Dark Reading. "So the package count is small, but the potential value of each compromised environment can be very high. We're probably yet to see the full fallout from this campaign." The attacks were attributed to TeamPCP based on overlapping tradecraft with the group's previous attacks. The attacks use a second-stage payload terminating before data exfiltration if the system is configured for the Russian language. They also use a shared RSA public key to encrypt exfiltrated data in past campaigns. Related:Navigating the Unique Security Risks of Asia's Digital Supply Chain But the campaign's reference to the Shai-hulud worm campaigns appears to be just that — a reference, and nothing more. "While this operation contains references to the Shai-Hulud operations from the fall of 2025, we cannot definitively link them or say they are a separate actor," Wiz researchers noted. Silva also says a notable difference is that "earlier Shai-Hulud waves dumped secrets in the open, while this campaign encrypted the stolen data." Thus, there's no apparent connect between TeamPCP and the earlier Shai-hulud worm attacks.  Expanding Scope of Supply Chain Attacks In past TeamPCP incidents, the threat actors have used the stolen credentials and secrets in one compromised package or open source project to gain access to other packages, creating a cascading series of supply chain attacks. While researchers haven't definitively figured out how TeamPCP actors gained access to the SAP packages, one researcher has a theory. In a post on X yesterday, security engineer Adnan Khan said the likely culprit was an npm token that was exposed to pull request builds in the SAP/cloud-mta-build-tool repository through a misconfiguration in CircleCI. Silva replied in a blog post yesterday that Khan's theory lines up with the technical evidence Aikido's research team found when it examined the repository. But Silva tells Dark Reading that the exposed token may not be the only culprit.  "I still think the misconfigured CircleCI build is the strongest lead for the initial 'mbt' credential theft, but it's probably not the single root cause for the whole SAP incident," he says. "These attacks are usually more layered than that. The broad pattern is still the same though: steal the credentials that can publish software, then use the supply chain to reach the next set of victims." Socket reported today that two other supply chain attacks had hit the lightning PyPI package and Intercom's npm package using the same tools and tradecraft as the Mini Shai-Hulud campaign. "The obfuscated JavaScript payload contains many similarities to the Shai-Hulud attacks, overlapping in targeted tokens, credentials and obfuscation methods," Socket researchers said in a blog post on the lightning PyPi package compromise. Regardless of how initial access was achieved for the SAP packages, the Mini Shai-Hulud campaign shows that TeamPCP is a growing threat to the software supply chain with an increasing number of victims — and highly sensitive stolen data — under its belt.  "The Mini Shai-Hulud campaign appears to be moving quickly across ecosystems, from SAP-related npm packages to AI/ML Python infrastructure and a widely used SaaS SDK," Socket said in the statement to Dark Reading. In his blog post, Silva urged organizations to search their lockfiles, package caches, CI logs, internal registries, artifact stores, and developer systems for any signs of the poisoned SAP packages, malicious scripts and payloads. "If any affected package was installed, rotate secrets. Do not limit rotation to npm tokens," he wrote. "The payload targets GitHub, npm, cloud providers, Kubernetes, CI secrets, and local developer tooling."  This article was updated at 7:30 a.m. EST on May 1 to reflect a statement from Socket.  This article was updated at 2:00 p.m. EST on May 1 to reflect a statement from SAP. Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now! About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? More Webinars You May Also Like СLOUD SECURITY APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials by Elizabeth Montalbano APR 13, 2026 СLOUD SECURITY TeamPCP Turns Cloud Infrastructure Into Crime Bots by Jai Vijayan, Contributing Writer FEB 09, 2026 СLOUD SECURITY The Cloud Edge Is the New Attack Surface by Robert Lemos, Contributing Writer SEP 17, 2025 СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 Editor's Choice СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ CYBER RISK 20-Year-Old Malware Rewrites History of Cyber Sabotage byJai Vijayan APR 27, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Loading... Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS