The latest supply‑chain breach discovered on 29 April 2026 targets critical npm packages used across the SAP Cloud Application Programming Model (CAP) ecosystem. Four packages – [email protected], @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected] – were compromised with a stealthy pre‑install hook that downloads and executes a malicious Bun runtime. The attack introduces an execution path during package installation, allowing the payload to harvest credentials, exfiltrate data, and propagate itself across npm accounts and CI/CD pipelines.
Below is a threat‑report‑style summary that security analysts can use to assess impact, detect anomalies, and remediate vulnerabilities.
Technical Analysis
- Each tarball contains three injected files: a modified
package.jsonwith apreinstallhook, a universalsetup.mjsloader, and a large obfuscatedexecution.jspayload. - The loader downloads
bun-v1.3.13fromgithub.com/oven-sh/bun/releases, extracts it, and runsexecution.jsunder Bun. It bypasses PowerShell execution policy on Windows and follows HTTP redirects without validation. - The payload is ~11.7 MB, obfuscated with a JavaScript obfuscator and a second PBKDF2‑based cipher. It contains a Russian locale kill‑switch and environment‑specific branching for developers and CI runners.
- Credential harvesting targets SSH keys, cloud provider credentials (AWS, Azure, GCP, Kubernetes), npm and Docker configs, GitHub CLI tokens, AI tool configs, and cryptocurrency wallets. It also probes cloud metadata endpoints via direct HTTP requests.
- For CI runners, the payload embeds a Python script that reads process memory to extract secrets, bypassing CI log masking. This technique mirrors the memory scanner used in prior TeamPCP incidents.
- Exfiltration is dual‑layered: data is encrypted with RSA‑OAEP‑4096 and AES‑256‑GCM, then uploaded to a newly created GitHub repository with a unique naming pattern (e.g.,
prescient-lasgun-242). The repository description contains a static string used as a dead‑drop identifier. The payload also posts to a threat‑actor domain (audit.checkmarx[.]cx/v1/telemetry) as an alternate channel. - Persistence is achieved through IDE hooks: .claude/settings.json and .vscode/tasks.json inject commands that re‑download Bun and re‑execute the payload on each project or AI assistant session.
- The attacker enumerates the victim’s npm packages and injects
execution.jsinto each, using the stolen npm token to publish updates with a commit message (“chore: update dependencies”).
Attribution
- Medium confidence link to TeamPCP, based on shared encryption primitives, Russian locale guard, and the use of GitHub repositories for staging and exfiltration.
- Operational similarities with prior TeamPCP campaigns targeting Aqua Trivy, LiteLLM, Checkmarx, Telnyx, and Bitwarden.
- All four compromised packages exhibit identical loader hashes (MD5:
35baf8316645372eea40b91d48acb067), indicating a coordinated injection wave.
Indicators of Compromise
- Files:
setup.mjs(hash:4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34),execution.js(multiple hashes),tmp.987654321.lock. - Network: suspicious requests to
http://169.254.169.254,http://169.254.170.2,http://127.0.0.1:40342,http://metadata.google.internalfrom npm, node, or Bun processes. - GitHub: dead‑drop query
https://api.github.com/search/commits?q=OhNoWhatsGoingOnWithGitHub, commit messages containingOhNoWhatsGoingOnWithGitHuborchore: update dependencies, repository descriptions statingA Mini Shai-Hulud has Appeared.
Detection Opportunities
- Monitor package installation logs for
preinstallhooks and unexpected binary downloads. - Track outbound HTTP calls from npm/node processes to cloud metadata endpoints.
- Watch for new GitHub repositories with the specific naming pattern and description.
- Inspect CI/CD logs for memory‑scanning scripts or unusual commit messages.
Recommendations
- Immediate review of
package-lock.jsonandyarn.lockfor the affected versions. Pin to earlier, uncorrupted releases or remove the packages entirely. - Rotate all cloud provider credentials, GitHub tokens, and any secrets that may have been exposed during the installation window.
- Implement a policy that blocks pre‑install scripts from unknown or untrusted npm packages, or enforce a no‑preinstall rule in CI environments.
- Deploy network monitoring to detect outbound connections to the listed metadata URLs and to GitHub dead‑drop endpoints.
- Use automated scanning tools (e.g., Socket, Snyk, Wiz) to check for known malicious hashes and file signatures in your dependency tree.
- Educate developers on the risks of installing npm packages with lifecycle hooks and encourage the use of lockfiles and integrity checks.
- Consider moving to a verified‑distribution channel (e.g., SAP’s own package registry) for critical CAP components.
- Set up alerts for new GitHub repository creations that match the attacker’s naming scheme.
Security analysts should treat this incident as a high‑impact supply‑chain event. The rapid deployment of the attack across multiple core npm packages highlights the need for stringent dependency hygiene, vigilant monitoring of installation processes, and proactive credential rotation. By following the detection and mitigation steps above, organizations can reduce the risk of credential theft, data exfiltration, and further propagation within their CI/CD pipelines.

