What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain

0 sources verified·7 min read

By Lyrie Threat Intelligence·4/29/2026

Mini Shai Hulud: The Supply Chain Attack That Weaponized Bun to Steal Your CI/CD Secrets

TL;DR

TeamPCP (the crew behind Bitwarden and Checkmarx breaches) just compromised 4 SAP npm packages with malicious preinstall scripts that download and execute an 11MB obfuscated payload using the Bun JavaScript runtime—a detection evasion technique not seen before in npm supply chain attacks. The payload harvests GitHub tokens, npm credentials, cloud secrets (AWS/Azure/GCP), Kubernetes tokens, GitHub Actions runner secrets, and browser passwords. Exfiltration happens via encrypted payloads to attacker-controlled GitHub repositories. Self-propagation logic means it weaponizes stolen npm tokens to cascade through entire developer ecosystems.

What Happened

On April 29, 2026, a supply chain attack dubbed "Mini Shai Hulud" (a reference to the original Shai-Hulud 2025 worm) hit the npm ecosystem. The attack compromised four SAP Cloud Application Programming Model (CAP) ecosystem packages:

@cap-js/sqlite v2.2.2
@cap-js/postgres v2.2.2
@cap-js/db-service v2.10.1
mbt v1.2.48

Security firms Wiz, Aikido, StepSecurity, Socket, SafeDep, and CyberSecurityNews independently identified the attack within hours of deployment. By the time researchers published warnings, the malware had already begun harvesting developer credentials from anyone who ran npm install on a compromised version.

The attack was live for at least 4 hours before widespread detection—enough time to compromise hundreds of developer workstations and CI/CD pipelines in enterprise SAP environments.

Technical Details: The Bun Escape Hatch

Phase 1: The Preinstall Trigger

The attack vector is surgically simple: attackers modified the legitimate SAP packages to include a weaponized preinstall hook in package.json. When developers ran npm install, the hook silently executed setup.mjs—a dropper script that downloads the Bun JavaScript runtime and executes a heavily obfuscated second-stage payload.

package.json (modified):
  "scripts": {
    "preinstall": "node setup.mjs"
  }

Why Bun?

This is the attack's genius move. Most npm security tooling and static analysis systems are built to detect Node.js-based payload execution. By shifting execution to Bun (an alternative JavaScript runtime), the malware achieved evasion of detection systems that profile Node.js execution patterns. Bun's behavior differs enough that traditional npm security sandboxes and monitors miss the execution flow entirely.

The payload (execution.js) is 11.7MB of obfuscated JavaScript—intentionally large to slow reverse engineering and detection signature creation.

Phase 2: Multi-Stage Credential Harvesting

Once executed, the second-stage payload (execution.js) becomes a full-featured credential stealer and self-propagation framework. It systematically harvests:

GitHub tokens (PATs, OAuth tokens) from developer workstations
npm credentials from ~/.npmrc and environment variables
Cloud provider secrets: AWS keys, Azure tokens, GCP service accounts
Kubernetes tokens and service account credentials
GitHub Actions secrets: Runner environment variables, including secrets extracted directly from process memory
Browser credentials: Passwords and auth tokens from Chrome, Safari, Edge, Brave, Chromium

Novel to this attack: browser password extraction—a capability absent from previous TeamPCP operations.

Phase 3: Encrypted Exfiltration & GitHub-as-C2

Stolen credentials are encrypted with a shared RSA public key and posted to attacker-controlled GitHub repositories using the GraphQL API. The repo descriptions follow a consistent pattern: "Checkmarx Configuration Storage" (matching the April 2026 Checkmarx breach playbook).

Critically, GitHub IS the C2 infrastructure. No external domain callbacks. No reliance on traditional botnet infrastructure. Just public GitHub repos as exfiltration points.

Phase 4: Self-Propagation via Stolen Tokens

If the malware successfully harvests an npm token, it automatically:

1. Identifies other packages under the compromised maintainer's account

2. Injects the same malicious preinstall hook

3. Republishes the packages

This enables exponential, automated spread across the npm ecosystem without requiring human intervention from the attacker. One compromised developer = dozens of poisoned packages.

The Smoking Gun: TeamPCP Attribution

Researchers attribute this to TeamPCP with high confidence, based on:

1. Shared RSA public key — The same encryption key used in Bitwarden and Checkmarx operations

2. Identical cipher routines — The __decodeScrambled function used to obfuscate secrets before exfiltration

3. Russian language geofencing — The malware checks if the system locale contains 'ru' (Russian). If true, it self-terminates immediately without exfiltrating data. This behavior was present in Checkmarx, Bitwarden, and previous TeamPCP operations—a fingerprint so consistent it's almost a signature.

4. Identical dropper SHA256 — setup.mjs (SHA256: 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34) is identical across all four compromised packages

5. GitHub-based exfiltration pattern — Matches the fallback C2 mechanism from Bitwarden CLI breach

TeamPCP has now compromised: Trivy, LiteLLM, Checkmarx KICS, Bitwarden CLI, and now SAP CAP. The crew is systematically targeting security and development infrastructure—the kill chain for enterprise software supply chains.

Lyrie Assessment: Why This Matters

The Detection Evasion Evolution

This attack represents a worrying escalation in npm supply chain tradecraft: the use of alternative JavaScript runtimes to evade Node.js-centric security tooling. For CISOs and DevSecOps teams:

npm audit won't catch this (it runs post-install, after the damage is done)
GitHub Dependabot won't catch this (it flags updates, not malicious preinstall scripts)
Traditional SIEM/EDR tuned to Node.js patterns will miss Bun execution
Package signature verification is bypassed because the packages are legitimately re-signed by TeamPCP after compromise

This is the supply chain version of a zero-day. Not a vulnerability in the packages themselves, but a compromise of the release pipeline.

The CI/CD Credential Apocalypse

The real terror here is GitHub Actions secret extraction. Every npm install in a CI/CD pipeline now becomes a potential credential harvesting point. A single poisoned dependency on a GitHub Actions runner = all your cloud secrets, all your GitHub tokens, all your Kubernetes credentials.

For organizations using SAP CAP:

If a developer or CI/CD pipeline installed @cap-js/postgres v2.2.2, @cap-js/sqlite v2.2.2, @cap-js/db-service v2.10.1, or mbt v1.2.48 after April 29, assume total compromise of that environment's credentials.

The Autonomy Angle: Self-Propagating Worms Go Mainstream

This is the third major npm self-propagating worm in 30 days (after CanisterWorm and Shai-Hulud variants). The supply chain is now defending against fully autonomous attack code that spreads without attacker intervention. This is the first wave of autonomous offensive capability hitting production ecosystems.

Indicators of Compromise (IOCs)

Affected Package Versions (Block These Immediately)

| Package | Compromised Version | Tarball SHA256 |

|---------|-------------------|-----------------|

| @cap-js/postgres | 2.2.2 | 1d9e4ece8e13c8eaf94cb858470d1bd8f81bb58f62583552303774fa1579edee |

| @cap-js/db-service | 2.10.1 | 258257560fe2f1c2cc3924eae40718c829085b52ae3436b4e46d2565f6996271 |

| @cap-js/sqlite | 2.2.2 | a1da198bb4e883d077a0e13351bf2c3acdea10497152292e873d79d4f7420211 |

| mbt | 1.2.48 | 86282ebcd3bebf50f087f2c6b00c62caa667cdcb53558033d85acd39e3d88b41 |

Files to Hunt For

setup.mjs (SHA256: 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34)
execution.js — varies by package, but all are 11.7MB obfuscated JavaScript
Suspicious Bun runtime downloads during npm install operations (a novel behavioral indicator)

Detection Signal

Monitor for:

Unexpected Bun binary downloads during dependency installation
Stolen credentials appearing in attacker-controlled GitHub repos (search GitHub for repo names matching word1-word2-number pattern)
CI/CD pipeline tokens rotated unexpectedly
Suspicious commits from unexpected authors post-install

Recommended Actions

Immediate (Next 2 Hours)

1. Audit your lockfiles — Search package-lock.json and yarn.lock for the four compromised package versions

2. Check your CI/CD logs — Look for any GitHub Actions runs that installed these packages in the last 24 hours

3. Block the versions at the package manager level — Use npm policies to prevent these versions from ever installing

Short-Term (Next 24 Hours)

1. Rotate ALL credentials — GitHub tokens, npm tokens, AWS keys, Azure creds, GCP service accounts, Kubernetes tokens. Assume complete compromise of any environment where these packages were installed.

2. Audit GitHub commit history — Look for unexpected commits from unexpected authors, or new repositories created after these packages were installed

3. Review GitHub Actions secrets — If any Actions workflows ran with these packages installed, rotate those secrets immediately

4. Update to patched versions — npm maintainers have published safe versions. Update all four packages immediately

Strategic (This Week)

1. Implement pre-install hooks verification — Require code review of any preinstall script changes before merging to main/release branches

2. Shift-left npm security — Test all dependencies in isolated environments before they touch production CI/CD pipelines

3. Monitor for self-propagating patterns — Look for automated, repeated commits from the same author across multiple repos in your organization

4. Increase visibility into alternative runtime usage — Monitor for Bun, Deno, and other non-Node.js execution during dependency installation

Lyrie Verdict ⚖️

The supply chain isn't a pipe anymore—it's a living attack surface. When a single npm install can harvest your entire AWS account, your GitHub tokens, your Kubernetes infrastructure, and your CI/CD secrets, the economics of security shift fundamentally.

TeamPCP's willingness to weaponize alternative runtimes and self-propagate across multiple registries shows a crew that's adapting faster than traditional defense tooling can respond. They're not just targeting individual developers—they're weaponizing the ecosystem itself as a propagation vector.

For enterprises: assume that within the next 90 days, every major development framework will have a supply chain equivalent of this attack. The defenders who survive are the ones who revoke first, investigate second, and assume the entire CI/CD supply chain is compromised until proven otherwise.

Lyrie.ai Cyber Research Division