For a few critical days at the end of April 2026, thousands of developers building SAP integrations unknowingly handed their passwords and cloud credentials to attackers. Four widely used npm packages, official components of the SAP development ecosystem that together account for roughly 500,000 weekly downloads according to research published by Wiz, were hijacked and laced with credential-stealing malware. The compromised versions appeared on April 29 and remained live long enough to potentially poison builds at companies ranging from midsize software shops to Fortune 500 enterprises that rely on SAP’s sprawling business software platform.
By early May 2026, multiple security firms had dissected the attack, dubbed it “Mini Shai-Hulud,” and published technical breakdowns. The malicious versions have since been pulled from the npm registry. But the incident has left open questions about how the attackers got in, how many organizations were exposed, and whether stolen secrets have already been exploited.
What happened
Security researchers at Aikido were among the first to flag the malicious code. The payload was engineered to harvest credentials and secrets from developer workstations and automated build pipelines. Because npm packages execute code automatically when they are installed, any developer or continuous-integration server that pulled a fresh update during the compromise window would have run the attacker’s code silently, with no visible warning.
The attack also carried an unusual twist. According to analysis by RedRays, the attackers embedded instructions designed to be picked up by AI-powered coding assistants, specifically Anthropic’s Claude. In practice, that means a developer using an AI agent to help write or review code could have triggered the credential exfiltration automatically, turning a productivity tool into an attack vector. Cloud tokens for services like AWS and GitHub were among the targeted secrets, raising the possibility that a single compromised laptop could unlock access across multiple cloud platforms and source-code repositories.
Wiz researchers classified the campaign under the Mini Shai-Hulud family of npm supply-chain attacks. SecurityBridge analysts independently confirmed that all four packages were official SAP ecosystem components and that the malicious versions briefly distributed credential-stealing malware before being identified and removed. German technology outlet Heise reported that unnamed security researchers attribute the attack to a hacker group called TeamPCP, though that claim has not been corroborated by law enforcement, SAP, or other major threat-intelligence teams.
The timeline was tight. The hijacked versions appeared on April 29, and within days Aikido, Wiz, and SecurityBridge had all published advisories. Acronis flagged the incident in its weekly threat digest as well. The rapid detection limited the exposure window, but with download volumes this high, even a few days of compromise can translate into thousands of tainted builds across organizations worldwide.
What remains uncertain
As of late May 2026, several important questions remain unanswered. SAP has not released a public statement confirming the full scope of the compromise, detailing which specific package versions were affected, or explaining how the attackers obtained publishing access to its official npm accounts. The company has also not indicated whether it issued alerts through its own security advisory channels, such as SAP Security Notes. Without that, the security community is relying on third-party analysis from Aikido, Wiz, and SecurityBridge to reconstruct the event.
Npm’s parent organization, GitHub, has not publicly detailed any platform-level response beyond the removal of the malicious package versions. Whether additional safeguards were applied to SAP’s publishing accounts or whether npm conducted a broader audit of related packages has not been disclosed.
The TeamPCP attribution, sourced to unnamed researchers via Heise, sits on thin ground. Attribution in supply-chain attacks is notoriously difficult because attackers typically use stolen maintainer credentials or compromised publishing tokens, which obscure the true origin. TeamPCP has not appeared prominently in prior public threat-intelligence reporting, and no other investigative team has independently confirmed the link. The name should be treated as a lead, not a conclusion.
Perhaps most importantly, no organization has publicly confirmed that stolen credentials were actually used to access cloud infrastructure, exfiltrate data, or move laterally within corporate networks. The gap between “credentials were harvested” and “credentials were exploited” is significant. For now, the incident is best understood as a high-severity exposure event rather than a fully documented breach of specific enterprises.
The AI angle also needs careful framing. While RedRays documented the weaponization of Claude, the precise mechanism and its real-world effectiveness have not been independently tested or quantified. It is not yet clear whether AI coding agents broadly followed the malicious instructions under default settings or whether specific configurations were required. That distinction matters when estimating how many teams were practically at risk versus theoretically exposed.
What defenders should do now
For development teams running SAP-connected applications, the first step is concrete: audit your project lock files and CI/CD pipeline logs for any package updates pulled on or after April 29. Focus on builds that fetched fresh dependencies rather than relying on cached artifacts. If compromised versions were installed, rotate every credential and token that was accessible to the build environment. That includes cloud-provider keys, API tokens, and source-control access tokens. Treat any secret that existed on an affected machine as potentially exposed, and review cloud-account activity logs for unusual access patterns in the weeks since the compromise.
Beyond immediate triage, organizations should examine how npm publishing rights are managed for both internal and third-party packages. Enforcing multi-factor authentication on maintainer accounts, using scoped access tokens with minimal privileges, and mirroring critical packages to an internal registry can all reduce the blast radius of future hijacks. Pinning dependencies to known-good versions and using tools that flag unexpected version changes or new maintainers can provide early warning of tampering.
Teams that use AI coding agents should treat them as part of the attack surface. That means reviewing any workflow that grants an AI tool access to live credentials or production configuration files and restricting that access to tightly sandboxed environments. Where AI tools can execute code or modify infrastructure-as-code templates, adding human review checkpoints is a practical safeguard.
What Mini Shai-Hulud signals for the software supply chain
This incident fits a pattern that has accelerated sharply: attackers are not writing novel malware from scratch so much as poisoning the trusted packages developers already depend on. What sets Mini Shai-Hulud apart is the combination of npm hijacking with AI-agent manipulation, a pairing that shows how quickly emerging developer tools can be folded into existing attack playbooks. The technique exploits two layers of trust simultaneously: trust in the package registry and trust in the AI assistant interpreting the code.
Even if confirmed damage ultimately proves limited, the episode exposes a structural weakness. Software teams need better visibility into what actually runs inside their build pipelines, faster mechanisms for rotating secrets when something goes wrong, and a more skeptical posture toward any automated tool that acts on code or configuration without human oversight. As more details surface from SAP, npm, or affected organizations, the full picture of Mini Shai-Hulud will sharpen. Until then, the smartest response is to treat this as a warning shot and close the gaps it revealed before the next supply-chain attack exploits them at greater scale.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
