SAP NPM Supply Chain Attack: Analyzing the Mini Shai-Hulud Campaign

Recent research has uncovered a sophisticated Supply Chain Attack targeting the ecosystem surrounding SAP, specifically through the NPM registry. According to SecurityWeek, security firm Mend.io identified a campaign dubbed ‘Mini Shai-Hulud’ that leveraged typosquatting and dependency confusion to target SAP-related development environments. This attack is particularly notable for its use of unconventional runtimes to bypass standard security telemetry.

Anatomy of the Mini Shai-Hulud Campaign

The TTP employed by the attackers focuses on the initial stages of the software development lifecycle. By publishing malicious packages to the public NPM registry that mimic internal SAP naming conventions—such as @sap/audit-logging or similar internal utilities—the attackers aim to exploit dependency confusion. If a developer’s environment is not configured to prioritise internal registries, the build system may inadvertently pull the malicious public package with a higher version number.

The primary mechanism for execution within these packages is the preinstall hook in the package.json file. This script executes automatically when a user attempts to install the package, allowing the malicious code to run before any development or testing actually begins. This is a common method for achieving initial access, but the Mini Shai-Hulud campaign introduced a unique technical layer to maintain stealth.

The Bun Runtime as an Evasion Vector

Unlike traditional NPM malware that relies on Node.js or Python, this campaign downloads and executes a Bun binary. Bun is a modern, high-performance JavaScript runtime that includes its own environment, package manager, and bundler. By bringing their own runtime, the attackers can execute complex scripts without relying on the specific version of Node.js installed on the victim’s machine.

Furthermore, many EDR and SIEM solutions are tuned to monitor the behavior of common processes like node.exe or powershell.exe. Because Bun is a newer tool and less common in enterprise environments, its activity may not trigger existing behavioral alerts. This allows the attacker to establish a C2 connection and perform reconnaissance with a lower risk of detection by the SOC.

Mitigating NPM Dependency Confusion Vulnerabilities

The risk of Lateral Movement within a corporate network increases significantly once a developer workstation is compromised. To defend against these threats, organizations must move beyond basic signature-based detection. A key defensive strategy involves mitigating NPM dependency confusion vulnerabilities by strictly defining registry scopes. By ensuring that all @sap scoped packages are only retrieved from an internal, verified registry, the risk of pulling a malicious public package is virtually eliminated.

How to Detect SAP NPM Supply Chain Attack Activity

Security teams should focus on identifying anomalous outbound network connections initiated during the build process. Key steps for how to detect SAP NPM supply chain attack indicators include:

• Monitoring for the download of unauthorized binary files (like Bun) from non-standard domains during npm install or yarn install operations.
• Auditing package-lock.json files for unexpected changes in registry URLs or version jumps that do not match internal release cycles.
• Utilizing MITRE ATT&CK mapping to identify common supply chain compromise techniques, such as T1195.001 (Dependencies and Development Tools).

Recommendations for Defenders

To ensure Bun runtime security monitoring in DevOps pipelines and general supply chain integrity, defenders should implement the following controls:

1. Enforce Scoped Registries: Use a .npmrc file to map specific scopes to internal enterprise registries, preventing the public registry from being queried for internal-only packages.
2. Disable Lifecycle Scripts: Where possible, use the --ignore-scripts flag during installation to prevent preinstall and postinstall hooks from executing.
3. Integrity Verification: Implement automated tools that compare package hashes against a known-good baseline before they are allowed into the build environment.
4. Runtime Monitoring: Update security tool policies to include the Bun runtime and other emerging JavaScript tools in process monitoring and behavioral analysis rules.