The Shai Hulud Malware targets SAP packages on NPM and extracts keys, credentials and cloud configurations, then uploads them in encrypted format to public GitHub repositories.

OX Security has analyzed a new variant of the Shai-Hulud worm embedded in multiple SAP npm packages, silently stealing and uploading developer credentials to 1,200 public GitHub repositories. Over 2.2M monthly downloads are affected and calls for immediate patching.

Analysis of the malicious payloads

The malware is specifically built to steal secrets – passwords and tokens from the victim’s machine, CI/CD secrets when running inside GitHub Actions, and cloud secrets when it can reach AWS, Azure, or Google Cloud.

There is an evolution in both exfiltration and credential harvesting techniques.

In addition to earlier GitHub-based exfiltration, the malware now leverages dedicated infrastructure, primarily the domain zero.masscan.cloud, while also implementing a dynamic fallback mechanism.

 It extracts keys, credentials, and cloud configurations, then uploads them encrypted to public GitHub repositories.

The string “A Mini Shai-Hulud has Appeared” is embedded in both the malicious package and the attacker-created GitHub repositories.

OX Security has observed real user data leaked by the malware, consistent with what we saw in the Bitwarden attack.

The malware’s origin is potentially Russian. It does not execute if the Russian language is configured on the host machine.

Affected Packages

Package name	Affected versions	Fixed versions
@cap-js/sqlite	2.2.2	2.4.0
@cap-js/postgres	2.2.2	2.3.0
@cap-js/db-service	2.10.1	2.11.0
mbt	1.2.48	1.2.49

Execution Technique

The attacker-created repositories continue to proliferate, with new ones constantly appearing under random names across affected developer accounts.

After collecting local and GitHub Actions secrets, the malware runs five additional cloud collectors through the same pipeline.

These target AWS SSM Parameter Store, AWS Secrets Manager, AWS STS, Azure Key Vault, and GCP Secret Manager.

A single execution can therefore attempt to drain cloud control planes wherever ambient credentials or SDK default chains exist, not only developer laptops.

Browser Credential Theft

The SAP operation adds the ability to steal credentials from multiple browsers (Chrome, Safari, Edge, Brave, Chromium) and exfiltrate any passwords found there. This feature was not present in any of the previous operations.

Exfiltration Fallback Mechanism

Consistent with previous Shai-Hulud attacks, this new variant utilizes a fallback mechanism to exfiltrate secrets from environments lacking local GitHub (GH) tokens or credentials. If local credential harvesting fails, the malware actively searches GitHub for commits beginning with a specific signature phrase: “OhNoWhatsGoingOnWithGitHub”.

To avoid supply chain compromise Key inputs for security teams

• If your organization is using any of the compromised packages, remove affected versions and rebuild from a clean cache or trusted artifact source.
• Rotate/revoke credentials used on any impacted machine or CI runner (npm tokens, cloud keys, GitHub keys).
• Check log files for unusual npm installs, unauthorized publishes, or unexpected workflow files.
• Check GitHub for a new repo named “Shai-Hulud” under your account.
• If found, remove it and review its history to understand what was exposed. Systems that ran the compromised packages should be considered fully compromised! A complete reinstall or reimaging is necessary.
• In some automated build environments, it can tamper with published packages so that installing them executes attacker code.

Sources: https://www.ox.security/blog/shai-hulud-sap-supply-chain-attack-npm/

Sources: https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm