SAP-Related npm Packages Hit by Supply Chain Attack as Credential-Stealing Malware Raises Alarm

Supply Chain Attack Strikes Again: SAP npm Ecosystem Under Precision Assault

Multiple cybersecurity research organizations have jointly issued an alert over a supply chain attack targeting SAP-related npm packages. Attackers planted credential-stealing malware into legitimate software packages in an attempt to harvest sensitive credentials from developers and enterprise users at scale, reigniting concerns over open-source software supply chain security.

Attack Details: A Malicious Campaign Called 'mini Shai-Hulud'

According to reports from Aikido Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz, the threat actor behind this campaign calls themselves "mini Shai-Hulud" — a name derived from the sandworms in the science fiction novel Dune, hinting at an attack style that lurks deep within code, waiting to strike.

The attack primarily targets npm packages related to SAP's JavaScript framework and cloud application development. By tampering with these widely used packages, the attackers embedded credential-stealing code. Once a developer installs or updates a compromised package in their project, the malicious code executes automatically, collecting sensitive information such as environment variables, API keys, and database credentials, then exfiltrating it to attacker-controlled servers.

Scope of Impact and Technical Analysis

The severity of this attack should not be underestimated, with key concerns including:

• Broad Attack Surface: As one of the world's largest enterprise software vendors, SAP's JavaScript ecosystem and cloud application platform serve a massive developer community. The affected npm packages often have tens of thousands of downloads, meaning the number of impacted developers and organizations could be substantial.

• High Stealth: Rather than creating entirely new typosquatting packages, the attackers injected malicious code into existing legitimate packages, making traditional typosquatting detection methods largely ineffective.

• Cascading Effects of Credential Theft: Stolen credentials could be used for further lateral movement, potentially allowing attackers to access enterprise SAP cloud environments, databases, and other critical infrastructure, leading to broader data breaches.

Security researchers note that this incident once again highlights the fragility of the open-source software supply chain. As the world's largest package registry, the npm ecosystem has long been a hotspot for supply chain attacks.

AI-Powered Security Detection: Multi-Party Collaboration Against Emerging Threats

Notably, the discovery of this attack was made possible by AI-driven automated code auditing and anomaly detection capabilities deployed by multiple security vendors. Companies such as Wiz and Socket have been continuously applying AI and machine learning technologies to software supply chain security in recent years, significantly improving detection efficiency for such stealthy attacks through intelligent analysis of code change patterns, dependency anomalies, and network behavior signatures.

Security experts recommend that developers and organizations take the following steps immediately:

1. Audit Project Dependencies: Check whether any affected SAP-related npm packages are used in your projects and verify package versions and integrity.
2. Rotate Credentials: If compromised packages have been installed, immediately rotate all potentially exposed keys and credentials.
3. Enable Lock Files: Use package-lock.json or yarn.lock to pin dependency versions and prevent automatically pulling tampered updates.
4. Deploy Supply Chain Security Tools: Adopt supply chain security scanning tools such as Socket and Snyk for continuous monitoring of dependencies.

Outlook: Supply Chain Security Set to Become a Core Priority in Enterprise Digital Transformation

This attack on SAP npm packages serves as yet another wake-up call. As enterprises deepen their digital transformation and grow increasingly dependent on open-source components, supply chain attack risks continue to escalate in tandem. Industry observers expect more organizations to incorporate software supply chain security into their core security strategies, with AI-driven automated security detection playing an increasingly critical role in this domain.

The open-source community and commercial software vendors must work together to establish more robust package signature verification, publishing permission controls, and anomaly detection mechanisms to fundamentally strengthen the security resilience of the entire ecosystem.