The recent supply chain attack targeting SAP-related npm packages—dubbed “mini Shai-Hulud”—has sent shockwaves through the developer community. By compromising popular libraries used in SAP’s JavaScript and cloud application development ecosystem, the attackers demonstrated how a single tainted dependency can cascade into a full-blown security crisis. This incident forces security teams to rethink the trust placed in open-source components, CI/CD workflows, and even developer workstations. Below are ten essential takeaways that every organization must understand to protect its software supply chain.

1. The “Mini Shai-Hulud” Campaign: A Targeted npm Attack

On April 29, attackers published malicious versions of several SAP-related npm packages, including mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. These packages are integral to building cloud applications with SAP’s CAP (Cloud Application Programming) model. Shortly after the poisoned versions were discovered, the maintainers replaced them with safe releases, but the damage had already begun. The campaign highlights the growing trend of supply chain attacks targeting high-value enterprise ecosystems, where a compromise can affect thousands of downstream users.

2. Malicious Installation-Time Code Harvests Sensitive Credentials

The malicious npm packages included installation-time scripts that executed automatically when developers ran npm install. These scripts were designed to steal a wide range of credentials: developer login details, GitHub personal access tokens, npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes environments. The malware encrypted this stolen data and sent it to public GitHub repositories created from the victims’ own accounts. This multi-target approach shows that attackers are now building tools that treat the entire developer ecosystem as a single attack surface.

3. Attack Vector: OIDC Trusted Publishing Misconfiguration and Static Tokens

Security researchers from SafeDep and Wiz identified that the attackers exploited a gap in npm’s OIDC (OpenID Connect) trusted publishing setup for the @cap-js packages. This configuration allowed unauthorized users—if they possessed a valid OIDC token from a compromised GitHub Actions workflow—to publish malicious versions. Additionally, the compromise of the mbt package likely involved a static npm token that was either leaked or stolen. These vulnerabilities underscore the importance of securing token storage and reviewing OIDC trust configurations in package registries.

4. Data Exfiltration via Victims’ Own GitHub Repositories

A particularly cunning aspect of the attack was how the malware exfiltrated stolen data. Instead of sending credentials to an external command-and-control server, the malicious code created new public repositories in the victim’s own GitHub account and pushed encrypted payloads there. This technique makes detection harder because the network traffic appears legitimate—it’s just a push to a known GitHub domain. Moreover, the attackers used stolen GitHub and npm tokens to add malicious GitHub Actions workflows to accessible repositories, further spreading the infection through CI/CD pipelines.

5. Persistence via VS Code and Claude Code Configuration Files

Beyond the immediate npm compromise, the attackers attempted to persist by modifying configuration files for Visual Studio Code and Claude Code (AI-assisted coding tools). By injecting malicious settings or scripts into these files, they could maintain access to developer workstations even after the original packages were removed. This technique places AI-powered development tools—increasingly popular in enterprises—at the center of supply chain risk. It also signals that attackers are studying developer workflows to find novel persistence mechanisms.

6. Developer Workstations: The New Master Key

“The fact that the malware was designed to harvest GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes in a single pass tells you that attackers now treat the developer workstation as a master key,” said Sakshi Grover, senior research manager at IDC Asia Pacific. This quote from the original article captures the shift: developers’ local environments—often less strictly governed than production—contain the tokens and secrets needed to access nearly every part of the software delivery pipeline. Securing these endpoints is no longer optional.

7. Lateral Spread Within CI/CD Pipelines Amplifies Damage

A single compromised developer identity in a CI/CD pipeline can give attackers a route into the wider software supply chain. Once inside, they can push malicious code into packages that downstream developers install with little visibility into tampering. The mini Shai-Hulud campaign leveraged this: stolen tokens allowed the attackers to add malicious GitHub Actions workflows to other repositories, effectively creating a self-propagating infection. This lateral movement means that one overlooked vulnerability in a developer’s environment can lead to a cascading breach across multiple projects and organizations.

8. Enterprises Are Still Planning AI-Driven Defenses—But Time Is Running Out

IDC’s Asia Pacific Security Survey 2025 found that 46% of enterprises plan to deploy AI for third-party and supply chain risk analysis within the next 12 to 24 months. However, as Grover noted, many organizations are still in the planning stage and have yet to operationalize these defenses. The mini Shai-Hulud attack demonstrates that attackers act faster than many security teams can adapt. AI-driven tools can help detect anomalous package behavior or suspicious use of secrets, but without immediate implementation, organizations remain exposed.

9. Implications for CISOs: Developer Environments Need the Same Rigor as Production

For CISOs, the campaign is a wake-up call. A tainted dependency can move beyond the build process before anyone detects it. The incident adds to concerns that developer environments—despite being the starting point for enterprise software delivery—are not governed with the same rigor as production systems. Sunil Varkey, a cybersecurity analyst, described the campaign as a case of “living off the land” where attackers use legitimate tools and processes against the defenders. CISOs must push for stronger secrets management, limited token lifetime, and continuous monitoring of developer endpoints.

10. Key Takeaways to Protect Your Software Supply Chain

To defend against attacks like mini Shai-Hulud, organizations should implement these measures: 1) Enforce multi-factor authentication and short-lived tokens for npm and GitHub access. 2) Regularly audit OIDC trusted publishing configurations in package registries. 3) Use package integrity checks (e.g., lock files, package hash verification). 4) Monitor developer workstations for anomalous processes, especially during package installs. 5) Deploy AI-based supply chain analysis tools that can flag suspicious package behavior in real time. Finally, treat developer environments as critical infrastructure—their security is fundamental to the entire software delivery lifecycle.

The mini Shai-Hulud campaign proves that supply chain attacks are becoming more sophisticated, targeting the very tools developers trust. By learning from this incident and acting on its lessons, organizations can strengthen their defenses before the next wave hits. The time to secure your CI/CD pipelines and developer workstations is now—not after the breach.