On April 29, 2026, someone slipped malicious code into four widely used SAP software packages. Within days, the infection had spread to at least 169 packages across the npm registry, the world’s largest repository of JavaScript code. But what made this attack different from the dozens of supply chain compromises that hit npm every year was not the scale. It was the hiding place.
The worm, dubbed Mini Shai-Hulud by security researchers, buries itself in configuration files that two of the most popular AI-assisted coding tools read automatically: Anthropic’s Claude Code and Microsoft’s Visual Studio Code. Once those files are modified, the malware persists even after a developer removes the infected package. It lives in the tool settings, not in the code, and it activates every time a developer opens a project.
According to researchers at ScriptWalker, Mend.io, and several other security firms, this marks the first documented supply chain attack to weaponize AI coding agent configurations as a persistence mechanism. That distinction matters because millions of developers now rely on AI coding assistants that automatically interpret project-level config files, and until now, those files were not widely recognized as an attack surface.
How the attack unfolded
The initial breach targeted four npm packages maintained under SAP’s Cloud Application Programming Model (CAP), a framework used by enterprise developers building applications on SAP’s cloud platform. The attacker exploited Claude Code’s GitHub integration to gain access to the packages’ repositories, then injected malicious continuous integration workflows that modified the code before it was published to npm.
Once a developer installed one of the compromised packages, the worm planted hooks in two specific files: .claude/settings.json and .vscode/tasks.json. These are configuration files that Claude Code and VS Code read automatically when a project is opened. Any machine that pulled the infected packages could silently execute attacker-controlled instructions without the developer ever seeing a prompt or warning.
The worm’s design uses multiple techniques working together. It smuggles payloads through the Bun JavaScript runtime, a newer alternative to Node.js that some security tools do not yet monitor closely. It abuses GitHub Actions, the automated workflow system built into GitHub, to propagate across repositories. And it exfiltrates developer credentials and CI/CD secrets, the tokens and API keys that grant access to build systems, cloud services, and package registries.
That combination allows Mini Shai-Hulud to move laterally. Once it infects one package, it can use stolen credentials to publish tainted versions of other packages the same developer maintains, creating a chain reaction. That chain reaction has already played out: the worm reached 169 npm packages across multiple projects, according to external scanning of the npm registry. Libraries associated with TanStack, UiPath, and Squawk appeared among those flagged, though none of those projects have publicly confirmed the compromise.
Security researchers have attributed the worm to a group or persona identified as TeamPCP, which has been linked to earlier iterations of the same malware family. That attribution comes from reverse-engineering efforts by private security companies, not from law enforcement or government agencies.
What makes this structurally different
Traditional npm malware executes during package installation. It phones home, drops a payload, or both. A developer who catches the problem and removes the package has generally cleaned up the threat.
Mini Shai-Hulud breaks that assumption. Because it modifies configuration files that AI coding agents and code editors trust implicitly, the worm survives package removal. A developer who uninstalls the infected dependency but does not manually inspect and clean their .claude and .vscode directories remains compromised. The malware lives in tool configs, not in the package code itself, and it reactivates every time the project is opened.
This is a meaningful escalation. AI coding assistants like Claude Code are designed to read project-level settings and act on them, executing commands, modifying files, and interacting with external services on the developer’s behalf. That trust relationship, which makes these tools useful, also makes them powerful persistence vectors. As Layer Seven Security noted in its analysis of the SAP supply chain exposure, development-time integrations can become high-value pivots into build systems and cloud environments. Any tool that can read and execute project-level configuration files must be governed with the same rigor as CI servers or deployment orchestrators.
What remains uncertain
As of late May 2026, several significant gaps remain in the public record.
Neither SAP nor Anthropic has issued a public statement about the breach’s scope, the timeline of remediation, or what safeguards have been applied to prevent recurrence. Microsoft, which owns both GitHub and VS Code, has also been silent. The absence of official vendor response leaves open questions about how many downstream users installed compromised package versions before they were flagged, and whether the .claude/settings.json persistence mechanism has been addressed in Claude Code itself.
The full blast radius of secret theft is similarly unclear. The worm targets CI/CD secrets and developer credentials, but no firm has published a verified count of how many tokens, API keys, or deployment credentials were actually exfiltrated. Without that data, the downstream risk to production systems that relied on those secrets is difficult to quantify. It is also unknown how many of the stolen credentials have since been rotated, or whether any have already been used in follow-on intrusions not yet publicly linked to Mini Shai-Hulud.
There are also open questions about the initial intrusion path. Public reporting indicates the attacker leveraged Claude Code’s GitHub integration to reach the SAP CAP repositories, but it is not yet clear whether this stemmed from stolen developer tokens, weaknesses in project-level permissions, or misconfigurations in connected services. Without a transparent post-incident report from the affected organizations, defenders are left to infer root causes from the behavior of the malware rather than from authoritative forensic timelines.
The 169-package figure itself carries a caveat. It comes from external scanning of the npm registry by security researchers, not from a confirmed vendor disclosure or an audit by npm’s own infrastructure team. It is strong evidence, but it is not the same as a definitive count.
What developers and security teams should do now
The practical first step is straightforward but easy to overlook: audit .claude/settings.json and .vscode/tasks.json files in every active project directory. Look for unexpected entries, particularly any that reference external URLs, execute shell commands, or modify CI workflow files. These are the files where Mini Shai-Hulud hides, and standard dependency audits will not catch them.
Rotating any secrets that were accessible to CI/CD pipelines during the exposure window is equally urgent. Stolen credentials do not expire when the malware is removed. If a token was exfiltrated before the compromise was detected, it remains valid until it is revoked.
For organizations assessing broader exposure, a structured response should include inventorying all projects that depend on the affected SAP CAP packages and their downstream dependencies, scanning repositories for suspicious workflow changes, and validating that no unauthorized accounts have published new package versions. Where possible, logs from CI systems and artifact registries should be reviewed for anomalous publishing activity during the known compromise window. Even in the absence of confirmed credential theft, preemptive rotation of high-privilege tokens is a low-regret mitigation.
AI coding tools are now part of the attack surface
Mini Shai-Hulud is not the last attack that will target AI coding agent configurations. It is the first. The same trust model that makes Claude Code, GitHub Copilot, and similar tools productive also makes them attractive to attackers: they read project-level files, execute instructions, and interact with external services, often with the developer’s full set of credentials.
Until vendors provide clearer visibility into what these tools execute, stronger integrity checks on configuration files, and hardened defaults that limit automatic execution, defenders will need to treat editor and agent configs as sensitive executable code. That means version-controlling them, reviewing changes, and including them in security scans alongside the rest of the build chain.
The worm’s name is a nod to the sandworms of Frank Herbert’s Dune, creatures that move unseen beneath the surface. The analogy is apt. Mini Shai-Hulud does not announce itself. It burrows into the tools developers trust most and waits to be activated. The developers who installed a compromised package weeks ago and have since moved on to other work may still be carrying it.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
