HotNews: Mini Shai-Hulud Supply Chain Attack Against SAP CAP npm Packages
SAP Cloud Application Programming Model (npm packages: mbt, @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)
This is not a typical SAP patch — it is a developer supply chain compromise affecting anyone building on SAP CAP. The blast radius is wider than the CVSS suggests because stolen credentials can enable further compromise of cloud accounts, source repositories, and production deployment pipelines. If your team builds CAP applications, treat this as a same-day credential rotation exercise. The 2025 Shai-Hulud worm taught us how fast npm-based attacks can propagate — Mini Shai-Hulud reinforced that lesson.
Vulnerability Detail
A supply chain attack — dubbed Mini Shai-Hulud after the 2025 worm of the same name — compromised npm packages used by SAP Cloud Application Programming Model (CAP) developers, including mbt (MTA Build Tool), @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service. Malicious preinstall scripts ran during npm install and stole developer, GitHub, npm, cloud, CI/CD, and service account credentials. Stolen tokens were then used to propagate the malware to additional npm packages and create exfiltration repositories. The campaign expanded the 2025 Shai-Hulud worm and is reported to have compromised over 160 packages by May 2026.
Workaround
Audit recent npm installations from CAP-related packages. Rotate any credentials that may have been present on developer machines or CI/CD runners during the affected installation window: GitHub PATs, npm tokens, cloud service account keys, CI/CD secrets, and any other credentials accessible to the build environment. Pin known-good versions in package-lock.json.
Patch Action
Apply guidance from SAP HotNews Note 3747787. Re-pull clean versions of the affected packages from npm. Run a full credential rotation for anything that touched a developer machine or build pipeline during the campaign window. Review CI/CD logs for unexpected outbound network calls.
Affected Versions
Patch Info