TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Snyk Blog

"A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages

2026-04-29 · Read original ↗

ATT&CK techniques detected

20 predictions
T1195.001Compromise Software Dependencies and Development Tools
99%
“" a mini shai - hulud has appeared " : bun - based stealer hits sap @ cap - js and mbt npm packages " a mini shai - hulud has appeared " : bun - based stealer hits sap @ cap - js and mbt npm packages april 29, 2026 0 mins readon april 29, 2026, attackers published malicious versi…”
T1195.001Compromise Software Dependencies and Development Tools
97%
“day ) reads : " on april 29, 2026, a supply chain attack compromised the repository — an unauthorized actor pushed malicious commits that hijacked the release workflow and triggered unauthorized npm publications. the attacker was able to publish compromised packages because the w…”
T1195.001Compromise Software Dependencies and Development Tools
93%
“before. the original shai - hulud campaign in september 2025 hit @ ctrl / tinycolor, ngx - bootstrap, ng2 - file - upload, and a long tail of dependents ( snyk ' s zero - day vulnerability report tracked it as it unfolded ). the follow - on wave sha1 - hulud in november 2025 expa…”
T1195.001Compromise Software Dependencies and Development Tools
93%
“. the campaign reuses the shai - hulud name ( the dead - drop repositories are tagged with it ) and includes functional npm self - propagation code per stepsecurity ' s full deobfuscation. as of publication, only the four originally compromised packages have been observed in the …”
T1195.001Compromise Software Dependencies and Development Tools
89%
“/ sqlite @ 2. 2. 2 was unpublished from npm shortly after detection. the remaining malicious versions carry npm deprecation strings : mbt @ 1. 2. 48 is flagged with " security : this version contains malicious code. do not use. " while the @ cap - js / * malicious versions read "…”
T1195.001Compromise Software Dependencies and Development Tools
89%
“self - publishing : the code is present and functional per stepsecurity ' s static deobfuscation. the payload harvests npm tokens with regex / npm _ [ a - za - z0 - 9 ] { 36, } / g, validates each one againstregistry. npmjs. org / - / npm / v1 / tokens ( filtering forbypass _ 2fa…”
T1195.001Compromise Software Dependencies and Development Tools
89%
“new persistence mechanism. defensive priorities ( lockfile audit, credential rotation, lifecycle script policy ) are the same either way. how the attack works the compromise pattern is consistent across all four packages : the malicious tarball preserves the legitimate package fi…”
T1195.001Compromise Software Dependencies and Development Tools
83%
“anthropic ' s claude - code # 49778 on the sessionstart hook was filed twelve days earlier and remains open without an anthropic response, citing a real - world precedent in the cozempic supply chain audit. the trivy ai - agent compromise ( cve - 2026 - 28353 ) in march 2026 went…”
T1195.001Compromise Software Dependencies and Development Tools
82%
“. the injected workflow uses $ { { tojson ( secrets ) } } to dump every repository secret into a build artifact namedformat - results. txt. daemonization on developer machines. on non - ci hosts, the payload forks itself as a detached background process tagged with the env var _ …”
T1195.001Compromise Software Dependencies and Development Tools
77%
“range can pull @ cap - js / db - service @ 2. 10. 1 ( the malicious version ) as a transitive without anyone listing it directly. for snyk customers, snyk test and snyk monitor will surface the malicious versions against the four advisories listed above. the snyk advisor pages fo…”
T1587Develop Capabilities
76%
“" a mini shai - hulud has appeared " : bun - based stealer hits sap @ cap - js and mbt npm packages " a mini shai - hulud has appeared " : bun - based stealer hits sap @ cap - js and mbt npm packages april 29, 2026 0 mins readon april 29, 2026, attackers published malicious versi…”
T1195.001Compromise Software Dependencies and Development Tools
71%
“hook attack vector itself was reported to npm in 2016 and marked working as intended, as paulirish reflagged on hacker news ; a decade later, it remains the most - exploited surface in the ecosystem. snyk has more on this in npm security best practices and a longer treatment of u…”
T1195.001Compromise Software Dependencies and Development Tools
67%
“##mjs. org and the github api : 09 : 55 : 25 : mbt @ 1. 2. 48 published from thecloudmtabot npm account. 10 : 01 : 07 : first victim dead - drop repository appears on github ( gruposbftechrecruiter / siridar - navigator - 935, per github api timestamps ). 11 : 25 : 47 : @ cap - j…”
T1587Develop Capabilities
59%
“/ sqlite @ 2. 2. 2 was unpublished from npm shortly after detection. the remaining malicious versions carry npm deprecation strings : mbt @ 1. 2. 48 is flagged with " security : this version contains malicious code. do not use. " while the @ cap - js / * malicious versions read "…”
T1195.001Compromise Software Dependencies and Development Tools
48%
“additions. pin to clean versions. for the three @ cap - js packages, prefer sap ' s post - incident releases ( @ cap - js / db - service @ 2. 11. 0, @ cap - js / sqlite @ 2. 4. 0, @ cap - js / postgres @ 2. 3. 0 ) as the forward pin and the pre - incident versions ( 2. 10. 0, 2. …”
T1195.001Compromise Software Dependencies and Development Tools
43%
“cli and advisor pages ). both prior campaigns demonstrated worm behavior : the payload would harvest a victim ' s npm token, then use it to publish itself into every other package the token had write access to. public attention has tracked accordingly : the wikipedia article on t…”
T1195.001Compromise Software Dependencies and Development Tools
40%
“contains a single readme. md plus one or more files at results / results - < unix - ms > - < counter >. json. direct inspection of one live victim repo by external researchers confirmed the file format : because the wrapping key is the attacker ' s rsa - 4096 public key, the cont…”
T1195.001Compromise Software Dependencies and Development Tools
36%
“##ffs. treat additions in either file as a potential supply chain signal, even if they look like routine dependency hygiene commits. for soc and detection engineering teams, the microsoft defender kql queries published in m4nbat / 100 _ days _ of _ kql _ 2026 ( day 17 ) catch the…”
T1587Develop Capabilities
35%
“new persistence mechanism. defensive priorities ( lockfile audit, credential rotation, lifecycle script policy ) are the same either way. how the attack works the compromise pattern is consistent across all four packages : the malicious tarball preserves the legitimate package fi…”
T1204.002Malicious File
33%
“##nyk has seen elsewhere this year, including the axios cross - platform rat incident where the install hook reached out for a native binary delivered through a separate dependency. for mbt, the diff between 1. 2. 47 ( clean ) and 1. 2. 48 ( malicious ) looks like this : preinsta…”

Summary

A new npm supply chain attack self-branded "Mini Shai-Hulud" compromised four SAP-ecosystem packages on April 29, 2026. Snyk has live advisories. Here's the technical breakdown, IOCs, and what to do.