Summary

A sophisticated supply chain attack, dubbed "Mini Shai Hulud," has been attributed to the threat actor group TeamPCP. This operation involves the compromise of SAP-related npm packages through the injection of malicious preinstall scripts. The attack aims to harvest developer and CI/CD secrets from platforms such as GitHub, npm, and major cloud providers, with exfiltration occurring via attacker-controlled GitHub repositories.

Affected Systems and/or Applications

The attack targets specific npm packages within the SAP ecosystem, including:

• @cap-js/sqlite - v2.2.2
• @cap-js/postgres - v2.2.2
• @cap-js/db-service - v2.10.1
• mbt - v1.2.48

These packages have been modified to include malicious preinstall scripts that execute during the npm install process.

Technical Details

The attack begins with the execution of a setup.mjs script, which downloads the Bun runtime and executes an obfuscated payload (execution.js). This payload acts as a credential stealer and propagation framework, targeting developer environments and CI/CD pipelines. It collects sensitive data, including:

• GitHub tokens
• npm credentials
• Cloud secrets (AWS, Azure, GCP)
• Kubernetes tokens
• GitHub Actions secrets

Exfiltration is conducted via public GitHub repositories using encrypted payloads. The malware includes logic to propagate to additional repositories and package distributions. Notably, the operation employs a system check to terminate if the compromised machine is configured for the Russian language, ensuring no data is exfiltrated from Russian-speaking systems.

The attack also introduces browser credential theft capabilities, targeting multiple browsers such as Chrome, Safari, Edge, Brave, and Chromium.

Mitigation

Security teams should take the following steps to mitigate the impact of this attack:

1. Identify Exposure: Search environments, lockfiles, artifact stores, and CI logs for affected package versions and malicious files (setup.mjs, execution.js).
2. Rotate Credentials: If exposure is suspected, immediately rotate GitHub tokens, npm tokens, cloud credentials, Kubernetes tokens, and CI/CD secrets.
3. Audit GitHub Activity: Look for suspicious commits, newly created repositories, or indicators such as the propagation keyword and unusual commit authors.
4. Monitor for Indicators of Compromise (IoCs): Utilize the provided file hashes to detect compromised files within your environment.

Indicator of Compromise

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively monitoring the situation and will issue advisory updates as needed.

References

• Wiz.io Blog: Mini Shai Hulud Supply Chain Attack

‍