7 stolen GitHub tokens. 971 repositories. A self-replicating supply chain attack targeting SAP's Node.js packages — and it's still active. Here's what GitGuardian found.

GitGuardian Blog provides insights, tutorials, and updates on secrets management, code security, and developer best practices. Covering topics such as credential leaks, code scanning, and secure development workflows, GitGuardian Blog offers resources for developers, security professionals, and DevOps teams. Readers can learn about detecting and preventing secrets exposure, securing code repositories, and implementing secure coding practices through GitGuardian's articles and security guides.

GitGuardian

Aikido researchers discovered a self-replicating supply chain attack targeting SAP's Node.js npm packages. The malware harvests GitHub personal access tokens (ghp_) from CI environment variables, exfiltrates encrypted secrets to attacker-controlled GitHub accounts, and uses stolen tokens to create new public repositories — enabling self-propagation. GitGuardian identified 7 exposed tokens, 23 compromised GitHub accounts, and 971 public repositories created as exfiltration infrastructure, all named with Dune-themed keywords. The attack was still active and growing at time of publication.

A Mini Shai-Hulud Targeting the SAP Ecosystem