New Supply Chain Attack Targets SAP Developers: npm Packages Weaponized with Credential-Stealing Malware

Overview of the Mini Shai-Hulud Campaign

A sophisticated supply chain attack campaign has been uncovered by a coalition of cybersecurity researchers, targeting developers within the SAP ecosystem. Dubbed 'Mini Shai-Hulud,' this operation involves the compromise of npm packages commonly used in SAP-related development projects. The campaign was detected and reported by a group of security firms including Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz. Their findings reveal a coordinated effort to inject credential-stealing malware into the software supply chain, posing a significant risk to organizations that rely on SAP systems.

How the Attack Unfolds

The attackers began by identifying popular npm packages that are integral to SAP development workflows. These packages were then modified to include malicious code that, when installed, would silently harvest credentials from the developer's environment. The malware is designed to capture SAP login credentials, database passwords, and other sensitive authentication data. Once stolen, this information is exfiltrated to command-and-control servers controlled by the threat actors. The technique is a classic supply chain attack, leveraging trust in third-party libraries to gain access to internal systems.

Affected Packages and Scope

While the exact list of compromised packages has not been fully disclosed, researchers indicate that multiple packages associated with SAP integrations, such as those for sap-hana, sap-cloud-connector, and sap-btp libraries, were targeted. The campaign appears to have been active for several months, with malicious versions of these packages published to the npm registry. Given the widespread use of npm in the SAP developer community, the potential impact is substantial. Organizations that unknowingly installed these tainted packages may have exposed critical credentials, leading to data breaches or system compromise.

Technical Details of the Malware

Analysis of the malware reveals a multi-stage attack process. The initial malicious payload is typically obfuscated JavaScript code embedded within legitimate-looking package files. Once executed, the code performs environment reconnaissance to detect SAP-related tools and configurations. It then hooks into common authentication libraries to intercept credential input. The exfiltration mechanism uses web requests to mimic normal traffic, making it difficult to detect with standard network monitoring. Researchers also noted that the attackers employed typosquatting techniques, creating packages with names similar to popular SAP npm modules to increase the likelihood of accidental installation.

Why SAP Developers Are in the Crosshairs

SAP systems are the backbone of enterprise resource planning (ERP) for many large organizations. Gaining credentials to SAP environments can provide attackers with access to financial records, customer data, and other sensitive business information. The npm ecosystem, while essential for modern JavaScript development, has been a frequent target for supply chain attacks due to its open nature and rapid package publication. By focusing on SAP-related packages, the attackers are strategically positioning themselves to compromise high-value targets. This campaign highlights the growing need for stricter security measures in the open-source package management space.

Industry Response and Mitigation

In response to the Mini Shai-Hulud campaign, cybersecurity firms have issued alerts and provided indicators of compromise (IOCs) to help organizations identify affected packages. Recommendations include:

• Immediately auditing npm dependencies for any SAP-related packages and verifying their integrity against known hashes provided by researchers.
• Implementing package verification tools such as Socket, which can detect suspicious behavior in npm modules.
• Enforcing strict access controls and using multi-factor authentication for SAP systems to mitigate credential theft.
• Regularly reviewing package sources and avoiding unofficial registries.
• Educating development teams about the risks of supply chain attacks and the importance of code review.

The incident serves as a stark reminder that supply chain attacks are becoming more targeted and sophisticated. Developers and organizations must remain vigilant, especially when working with critical enterprise platforms like SAP. As the investigation continues, additional details may emerge, but the immediate priority is to secure affected environments and prevent further credential theft.