""The affected versions introduced new installation-time behavior that was not previously part of these packages' expected functionality. The compromised releases added a preinstall script that acts as a runtime bootstrapper, downloading a platform-specific Bun ZIP from GitHub Releases, extracting it, and immediately executing the extracted Bun binary.""
""The implementation also follows HTTP redirects without validating the destination and uses PowerShell with -ExecutionPolicy Bypass on Windows, increasing the risk for affected developer and CI/CD environments.""
""The suspicious versions were published on April 29, 2026, between 09:55 UTC and 12:14 UTC. The poisoned packages introduce a new package.json preinstall hook that runs a file named 'setup.mjs,' which acts as a loader for the Bun JavaScript runtime to execute the credential stealer and propagation framework ('execution.js').""
""According to Aikido, the malware is designed to harvest local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. The stolen data is encrypted and exfiltrated to public GitHub repositories created on the victim's own account with the description 'A Mini Shai-Hulud has Appea.""
A supply chain attack campaign named mini Shai-Hulud is targeting SAP-related npm packages, introducing credential-stealing malware. Affected packages include mbt@1.2.48 and @cap-js/db-service@2.10.1. The compromised versions added a preinstall script that downloads and executes a Bun binary. This implementation follows HTTP redirects without validation and uses PowerShell with -ExecutionPolicy Bypass, increasing risks for developers. The malware harvests local credentials and cloud secrets, exfiltrating data to public GitHub repositories created on the victim's account.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]