← All stories

The Hacker News

SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

[email protected] (The Hacker News) · 6 days ago · Read original ↗

ATT&CK techniques detected

13 predictions

T1195.001Compromise Software Dependencies and Development Tools

99%

“sap - related npm packages compromised in credential - stealing supply chain attack cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting sap - related npm packages with credential - stealing malware. according to reports from aikido …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

98%

“this feature was not present in any of the previous operations. github based exfiltration to dune themed repos was the fallback c2 method for the bitwarden cli operation, but is now the primary option. " further analysis into the root cause has revealed that the attackers comprom…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

95%

“configuration gap : npm ’ s oidc trusted publisher configuration for @ cap - js / sqlite trusted any workflow in cap - js / cds - dbs, not just the canonical release - please. yml on main. a branch push could exchange an oidc token on behalf of the package if the workflow had id …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

94%

“##e systems. - the payload commits itself into every accessible github repository by injecting a ". claude / settings. json " file that abuses claude code ' s sessionstart hook and a ". vscode / tasks. json " file with " runon " : " folderopen " setting so that any attempt to ope…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

93%

“##bernetes. the stolen data is encrypted and exfiltrated to public github repositories created on the victim ' s own account with the description " a mini shai - hulud has appeared. " as of writing, there are more than 1, 100 repositories with descriptions. in addition, the 11. 6…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.002Malicious File

89%

“bun zip from github releases, extracting it, and immediately executing the extracted bun binary. " " the implementation also follows http redirects without validating the destination and uses powershell with - executionpolicy bypass on windows, increasing the risk for affected de…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

75%

“sap - related npm packages compromised in credential - stealing supply chain attack cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting sap - related npm packages with credential - stealing malware. according to reports from aikido …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

69%

“bun zip from github releases, extracting it, and immediately executing the extracted bun binary. " " the implementation also follows http redirects without validating the destination and uses powershell with - executionpolicy bypass on windows, increasing the risk for affected de…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1567.001Exfiltration to Code Repository

58%

“##bernetes. the stolen data is encrypted and exfiltrated to public github repositories created on the victim ' s own account with the description " a mini shai - hulud has appeared. " as of writing, there are more than 1, 100 repositories with descriptions. in addition, the 11. 6…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1677Poisoned Pipeline Execution

45%

“##e systems. - the payload commits itself into every accessible github repository by injecting a ". claude / settings. json " file that abuses claude code ' s sessionstart hook and a ". vscode / tasks. json " file with " runon " : " folderopen " setting so that any attempt to ope…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1567.001Exfiltration to Code Repository

45%

“##e systems. - the payload commits itself into every accessible github repository by injecting a ". claude / settings. json " file that abuses claude code ' s sessionstart hook and a ". vscode / tasks. json " file with " runon " : " folderopen " setting so that any attempt to ope…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.002Compromise Software Supply Chain

39%

“bun zip from github releases, extracting it, and immediately executing the extracted bun binary. " " the implementation also follows http redirects without validating the destination and uses powershell with - executionpolicy bypass on windows, increasing the risk for affected de…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1567.001Exfiltration to Code Repository

37%

“this feature was not present in any of the previous operations. github based exfiltration to dune themed repos was the fallback c2 method for the bitwarden cli operation, but is now the primary option. " further analysis into the root cause has revealed that the attackers comprom…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz, the campaign – calling itself the Mini Shai-Hulud – has affected the following packages associated with