Compromised SAP npm Packages Harvest Crypto and Cloud Keys

Four npm packages tied to SAP’s Cloud Application Programming Model were altered to include code that exfiltrates crypto wallets, cloud credentials and SSH private keys from developer machines and CI/CD environments. The compromised versions are [email protected], @cap-js/[email protected], @cap-js/[email protected] and @cap-js/[email protected]. Those packages together receive about 572,000 downloads per week.

Investigators found the injected code added a pre-install script that downloads a Bun runtime binary from GitHub and launches an obfuscated 11.7MB JavaScript payload. Original SAP source files remain in the packages, but three new files were added: a modified package.json, setup.mjs and execution.js. The new files carry timestamps hours after the legitimate code, consistent with tarballs altered after build. The loader script is identical across all four packages despite their placement in two namespaces.

When run, the payload checks the system locale and exits if Russian settings are detected. It then inspects about 25 platform variables tied to services such as GitHub Actions, CircleCI and Jenkins to determine whether it is running in a CI/CD environment or on a developer workstation. The malware follows different code paths for CI/CD and developer contexts.

On developer systems the payload searches for more than 80 types of credential and configuration files. Targets include SSH private keys, AWS and Azure credential files, Kubernetes configuration files, npm and Docker tokens, environment variable files and crypto wallets across eleven platforms. The payload also looks for configuration files for AI tools, including settings related to Claude and Kiro MCP. Captured data is staged for exfiltration by the loader.

The payload is protected by two layers of encryption. A decryption function named “__decodeScrambled()” derives keys using PBKDF2 with 200,000 SHA-256 iterations and a salt labeled “ctf-scramble-v2.” That function name, algorithm, salt and iteration count match elements observed in earlier malicious payloads, indicating reuse of toolkit components. The runtime binary was distributed from GitHub.

Trackers monitoring the activity designated the operator cluster “TeamPCP” and labeled the campaign “mini-shai-hulud.” At least one affected package version, @cap-js/[email protected], appears to have been unpublished from the npm registry after the compromise was discovered.

Security teams using the Cloud Application Programming Model or MTA-based deployment pipelines are advised to inspect lockfiles for the affected versions and assume any credentials present during the exposure window may be compromised. Developers who installed the tainted packages should rotate exposed secrets and tokens, review CI/CD logs for unexpected network requests or binary executions, and search build and deployment artifacts for signs of the loader running.

The incident follows other supply-chain attacks that targeted package managers and developer tooling to capture digital-asset credentials, including campaigns that used typosquatted packages and malicious insertions to harvest private keys and system secrets.