StepSecurity has identified a new npm supply chain attack dubbed 'Mini Shai-Hulud' targeting SAP ecosystem packages. Two confirmed compromised packages are mbt@1.2.48 and @cap-js/sqlite@2.2.2. The attacker injects a preinstall hook that downloads the Bun JavaScript runtime and executes an 11 MB obfuscated payload, likely to evade Node.js-focused detection tools. Detection signals included a new preinstall script with no version history, two undocumented files, and a 500x package size increase in a single version bump. Victim GitHub repositories with a hardcoded description are being created in real time, each representing a developer whose credentials were stolen during installation.
Sort: