ACCORDING to StepSecurity, a new npm supply chain attack dubbed “Mini Shai-Hulud” has emerged, using preinstall hooks to download the Bun JavaScript runtime and execute an 11 MB obfuscated payload. The campaign has compromised SAP-related npm packages, with mbt v1.2.48 and @cap-js/sqlite v2.2.2 confirmed so far. Stealthy changes in mbt@1.2.48 include a first-time preinstall script, a new setup[.]mjs file and an execution[.]js file, and a payload size surge from 23 KB to 11.7 MB.
The obfuscated script is reportedly a single 11.6 MB line, and the attacker is exfiltrating credentials and environment data, potentially targeting enterprise SAP developer environments. Live evidence described by StepSecurity shows victim repositories appearing on GitHub in real time, with a distinctive description string embedded in the payload: “A Mini Shai-Hulud has Appeared.” The investigation is ongoing, with further affected packages and remediation steps to be updated as more indicators emerge.