Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer
The ongoing Mini Shai-Hulud campaign expanded its operations by directly targeting enterprise resource environments, specifically compromising SAP-related npm packages. The attackers integrated a sophisticated postinstall payload that runs natively using the high-performance Bun runtime engine rather than standard Node.js execution hooks. Once an organization pulls the infected package into their development or deployment pipelines, the script triggers immediately, scanning local files, environmental variables, and continuous integration paths to harvest authentication tokens, cloud deployment access codes, and proprietary corporate secrets. The malware is heavily engineered to use these newly stolen credentials to automatically access connected GitHub repositories, searching for further access vectors and deploying a secondary replication mechanism called OhNoWhatsGoingOnWithGitHub to pivot deeper into corporate cloud platforms.Enterprise architecture teams must immediately lock down their package managers and freeze updates for any SAP-related npm modules. Engineering leads should scan their environments for unauthorized Bun executions and check system profiles for the presence of anomalous repository scripts. It is critical to revoke and regenerate all GitHub access tokens, cloud service account keys, and environment variables that were exposed during the compromise window, while enforcing strict IP address restrictions on code publishing platforms.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.
Related Articles





