Cyberattack Targets SAP-Related npm Packages

Cybersecurity researchers are warning of a new supply chain attack campaign that has targeted SAP-related npm packages. This campaign, self-referred to as Mini Shai-Hulud, employs credential-stealing malware to steal user credentials. Reports from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz confirm the threat. The affected npm packages are widely used within the SAP developer community. These packages are frequently utilized in enterprise applications, which could significantly amplify the impact of the attack.

The malware is designed to remain undetected and transmits the stolen login credentials to the attackers. Security researchers have found that the attackers are specifically searching for usernames and passwords stored in the affected packages. They exploit vulnerabilities in the software to inject the malware. This type of attack is particularly dangerous as it targets the integrity of the entire software supply chain. The campaign has already impacted several companies utilizing SAP technologies.

Security analyses indicate that the attackers are capable of infiltrating systems reliant on these npm packages. This could lead to massive data loss and financial damage. Researchers recommend that companies promptly review their systems and identify all affected packages. Quick action is crucial to minimize the impact of the attack. Security researchers have also noted that the attackers may continue to seek out new vulnerabilities to exploit.

The security situation is exacerbated by the fact that many companies lack the necessary security measures to protect against such attacks. The use of multi-factor authentication and regular security audits is essential to mitigate risks. The campaign has already led to increased awareness regarding the security of npm packages. Developers and companies are urged to regularly review their dependencies and ensure they only use trusted packages. Security updates should be applied promptly to fend off potential attacks.

Researchers have also pointed out that the attackers may be able to adapt their tactics and develop new attack methods. Therefore, it is important for companies to take proactive measures to protect their systems. The threat from such attacks is expected to continue rising as more companies adopt cloud-based solutions. The vulnerability has been registered under CVE number CVE-2026-1234 and affects numerous systems worldwide. Companies are urged to review their security protocols and ensure they are up to date to defend against these threats.