TeamPCP‘s extensive supply chain campaign continued this week, as the cybercriminal group compromised several SAP npm packages in a “Mini Shai Hulud” attack.
The compromised packages went live Wednesday and were quickly spotted by several cybersecurity vendors, including Wiz, Socket, and Aikido Security. Four npm packages for SAP’s Cloud Application Programming Model (CAP) and Cloud MTA Build Tool (MBT) were injected with malicious preinstall scripts that execute once the dependency is installed.
“The campaign leverages a multistage payload to harvest developer and CI/CD secrets across GitHub, npm, and major cloud providers, and exfiltrates the data via attacker-controlled GitHub repositories,” Wiz researchers said in a blog post. “It also contains code designed to propagate via compromised tokens.”
The malware contains hard-coded descriptions for the attacker-controlled repositories: “A Mini Shai-Hulud has Appeared” is an apparent reference to the Shai-hulud worm attacks that have targeted npm packages since September 2025.
Wiz and Socket researchers attributed the SAP attacks to TeamPCP based on technical overlaps and operational similarities to the emerging cybercrime group’s previous campaigns. TeamPCP has in recent months compromised the packages of several open source software projects, including Trivy, a security scanner maintained by Aqua Security, and KICS, a Checkmarx-developed tool for static code analysis.
The targeting of SAP packages puts a different spin on TeamPCP attacks and potentially heightens the risk for enterprises, according to experts.
Mini Shai-Hulud Raises Stakes
Socket’s research team noted in a blog post that the four npm packages have “meaningful reach across the SAP developer ecosystem,” with hundreds of thousands of downloads per week. Llike previous TeamPCP attacks, the payloads collected GitHub, npm, Kubernetes, CI/CD, and cloud credentials, which are then used to compromise additional repositories and packages and even breach downstream customer organizations.
The poisoned packages include @cap-js/sqlite – v2.2.2; @cap-js/postgres – v2.2.2; @cap-js/db-service – v2.10.1; and mbt – v1.2.48. The CAP packages are connected to SAP cloud deployment workflows, while the MBT package is used to build deployment-ready, multi-target application (MTA) archive files.
The poisoned packages were taken down soon after they were published. Dark Reading contacted SAP for comment on the attacks, but the company did not respond at press time.
With the targeting of a small number of high-value enterprise software packages, the Mini Shai-Hulud campaign stands out compared to previous supply chain attacks. “Instead of spreading across many random packages, this one hit SAP, where a successful install could run on developer machines or CI jobs with access to GitHub, npm, cloud, and deployment secrets,” Raphael Silva, researcher at Aikido Security, tells Dark Reading. “So the package count is small, but the potential value of each compromised environment can be very high. We’re probably yet to see the full fallout from this campaign.”
The attacks were attributed to TeamPCP based on overlapping tradecraft with the group’s previous attacks. The attacks use a second-stage payload terminating before data exfiltration if the system is configured for the Russian language. They also use a shared RSA public key to encrypt exfiltrated data in past campaigns.
But the campaign’s reference to the Shai-hulud worm campaigns appears to be just that — a reference, and nothing more. “While this operation contains references to the Shai-Hulud operations from the fall of 2025, we cannot definitively link them or say they are a separate actor,” Wiz researchers noted.
Silva also says a notable difference is that “earlier Shai-Hulud waves dumped secrets in the open, while this campaign encrypted the stolen data.” Thus, there’s no apparent connect between TeamPCP and the earlier Shai-hulud worm attacks.
Expanding Scope of Supply Chain Attacks
In past TeamPCP incidents, the threat actors have used the stolen credentials and secrets in one compromised package or open source project to gain access to other packages, creating a cascading series of supply chain attacks.
While researchers haven’t definitively figured out how TeamPCP actors gained access to the SAP packages, one researcher has a theory. In a post on X yesterday, security engineer Adnan Khan said the likely culprit was an npm token that was exposed to pull request builds in the SAP/cloud-mta-build-tool repository through a misconfiguration in CircleCI.
Silva replied in a blog post yesterday that Khan’s theory lines up with the technical evidence Aikido’s research team found when it examined the repository. But Silva tells Dark Reading that the exposed token may not be the only culprit.
“I still think the misconfigured CircleCI build is the strongest lead for the initial ‘mbt’ credential theft, but it’s probably not the single root cause for the whole SAP incident,” he says. “These attacks are usually more layered than that. The broad pattern is still the same though: steal the credentials that can publish software, then use the supply chain to reach the next set of victims.”
Socket reported today that two other supply chain attacks had hit the lightning PyPI package and Intercom’s npm package using the same tools and tradecraft as the Mini Shai-Hulud campaign. “The obfuscated JavaScript payload contains many similarities to the Shai-Hulud attacks, overlapping in targeted tokens, credentials and obfuscation methods,” Socket researchers said in a blog post on the lightning PyPi package compromise.
Regardless of how initial access was achieved for the SAP packages, the Mini Shai-Hulud campaign shows that TeamPCP is a growing threat to the software supply chain with an increasing number of victims — and highly sensitive stolen data — under its belt.
In his blog post, Silva urged organizations to search their lockfiles, package caches, CI logs, internal registries, artifact stores, and developer systems for any signs of the poisoned SAP packages, malicious scripts and payloads.
“If any affected package was installed, rotate secrets. Do not limit rotation to npm tokens,” he wrote. “The payload targets GitHub, npm, cloud providers, Kubernetes, CI secrets, and local developer tooling.”
Don’t miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!
