Supply Chain Attack on SAP npm Packages Uses Bun Runtime to Evade Detection
Key Takeaways
- ▸Attackers used the Bun JavaScript runtime in place of Node.js to evade detection tools, representing a novel evasion technique in supply chain attacks
- ▸Two critical SAP packages (mbt and @cap-js/sqlite) were compromised, specifically targeting enterprise SAP development environments
- ▸StepSecurity's analysis detected the attack through anomaly signals: new preinstall scripts, undocumented files, and a 500x package size increase in a single version
Summary
StepSecurity's security research team has identified a coordinated npm supply chain attack targeting SAP-related development packages in a variant of the Shai-Hulud campaign. The attack compromises mbt v1.2.48 and @cap-js/sqlite v2.2.2, injecting a heavily obfuscated 11 MB payload that downloads the Bun JavaScript runtime instead of relying on Node.js — a technique designed to evade detection tools commonly focused on Node.js execution patterns.
The compromise represents the first time malicious code was injected into these legitimate SAP packages. A preinstall script was introduced for the first time, triggering before normal installation logic runs, while two undocumented files (setup.mjs and execution.js) were added with no prior version history. Each affected package grew by 500x in a single version bump — from 23 KB to 11.7 MB — a structural anomaly indicative of injected malware.
Victim repositories are appearing in real time on GitHub, each bearing a hardcoded message from the payload: "A Mini Shai-Hulud has Appeared." This indicates active credential theft and potential compromise of SAP enterprise development environments. StepSecurity has responsibly disclosed findings to affected package maintainers and is actively investigating additional compromised packages in the SAP ecosystem.
- Credential theft is occurring in real time, with compromised developer accounts creating victim repositories on GitHub
Editorial Opinion
This attack underscores the escalating sophistication of npm supply chain compromises and the critical need for runtime-agnostic anomaly detection. The targeting of SAP development tools is particularly concerning given their ubiquity in enterprise environments — the shift to Bun as an evasion vector shows attackers are staying ahead of detection strategies focused on Node.js. Organizations should immediately audit SAP package dependencies and investigate any unexpected preinstall or setup scripts in their development pipelines.
