Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer

April 29, 2026

The ongoing Mini Shai-Hulud campaign expanded its operations by directly targeting enterprise resource environments, specifically compromising SAP-related npm packages. The attackers integrated a sophisticated postinstall payload that runs natively using the high-performance Bun runtime engine rather than standard Node.js execution hooks. Once an organization pulls the infected package into their development or deployment pipelines, the script triggers immediately, scanning local files, environmental variables, and continuous integration paths to harvest authentication tokens, cloud deployment access codes, and proprietary corporate secrets. The malware is heavily engineered to use these newly stolen credentials to automatically access connected GitHub repositories, searching for further access vectors and deploying a secondary replication mechanism called OhNoWhatsGoingOnWithGitHub to pivot deeper into corporate cloud platforms.Enterprise architecture teams must immediately lock down their package managers and freeze updates for any SAP-related npm modules. Engineering leads should scan their environments for unauthorized Bun executions and check system profiles for the presence of anomalous repository scripts. It is critical to revoke and regenerate all GitHub access tokens, cloud service account keys, and environment variables that were exposed during the compromise window, while enforcing strict IP address restrictions on code publishing platforms.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?