What's Happening?
A new supply chain attack has targeted four SAP NPM packages, injecting them with malicious code, according to security researchers. The attack, known as Mini Shai-Hulud, affects packages linked to the SAP Cloud Application Programming (CAP) ecosystem
and SAP cloud deployment workflows. On April 29, four package versions were identified as malicious, including npm mbt 1.2.48 and several @cap-js packages. These packages, which have over 500,000 combined weekly downloads, were injected with a preinstall script that acts as a runtime bootstrapper. The script fetches and executes a Bun binary from a GitHub repository. The malicious code is designed to steal local credentials and cloud secrets, exfiltrating them through public GitHub repositories. The attack is attributed to the TeamPCP hacking group, known for previous supply chain attacks.
Why It's Important?
This attack highlights the vulnerabilities in software supply chains, particularly for organizations using SAP's CAP framework. The compromised packages pose a significant threat to developers and organizations relying on these tools for building and deploying applications. The attack underscores the need for robust security measures in software development processes, as it exploits the trust placed in widely used packages. The incident also emphasizes the importance of monitoring and securing third-party dependencies, as they can become vectors for cyberattacks. Organizations affected by this attack may face data breaches and operational disruptions, impacting their ability to deliver services and maintain customer trust.
What's Next?
Organizations using SAP Business Technology Platform workflows and related deployment pipelines are advised to check for the installation of malicious package versions during the exposure window. Security teams should prioritize updating to clean versions and implementing stricter controls on package dependencies. The incident may prompt a broader industry response to enhance supply chain security, including increased collaboration between software vendors and security researchers. Companies may also need to invest in advanced threat detection and response capabilities to mitigate future risks.
