Mini Shai-Hulud SAP npm Bun Runtime Payloads

Suspected
Discovered Apr 29, 2026

StepSecurity described a Mini Shai-Hulud npm campaign against SAP-related packages where preinstall hooks downloaded Bun, launched an obfuscated payload, scraped runner memory, created public GitHub dead-drop repositories, and attempted developer-workstation persistence.

4
Affected Packages
22
Observables
2
Sources

Analysis

Executive Summary

StepSecurity described a Mini Shai-Hulud npm campaign against SAP-related packages where preinstall hooks downloaded Bun, launched an obfuscated payload, scraped runner memory, created public GitHub dead-drop repositories, and attempted developer-workstation persistence.

This folder ports older Astro-era supply-chain coverage into the canonical hp-posts-info authoring shape so the Next.js/Postgres importer can serve it. The current status is needs_review: the source-backed indicators are captured, but the pass intentionally does not claim fresh artifact diffing beyond the cited primary research.

Key Facts

  • Affected assets: mbt, @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service.
  • Execution trigger: npm preinstall hook runs node setup.mjs, downloads Bun, and launches execution.js.
  • Credential risk: GitHub, OIDC, cloud, package-registry, and developer credentials reachable from impacted CI or developer environments.
  • Relationship: migrated from the older Astro blog supply-chain roundup into a standalone Next.js/Postgres-ready incident folder.

Defender Handling

Run the included scope scanner over repository exports, package caches, CI logs, and endpoint telemetry. Treat matches in live dependency manifests, lockfiles, workflow definitions, or runner process/network logs as exposure signals until the owning team confirms whether the malicious artifact actually executed.

Open Questions

This migration captures coverage and source-backed selectors. Before marking publish-ready, perform fresh artifact diffing, validate current package/action cleanup status, and reconcile exact downstream victim counts from direct maintainer or platform sources.

Sources

  1. StepSecurity primary research. Role: PRIMARY_RESEARCH Impact: Primary source for affected assets, execution trigger, payload behavior, and published IOCs.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Apr 29, 2026First seenFirst seen recorded for Mini Shai-Hulud SAP npm Bun Runtime Payloads.haltingproblems.com
Apr 29, 2026DiscoveryDiscovery recorded for Mini Shai-Hulud SAP npm Bun Runtime Payloads.haltingproblems.com
Apr 29, 2026DisclosureDisclosure recorded for Mini Shai-Hulud SAP npm Bun Runtime Payloads.haltingproblems.com
Apr 29, 2026Mini Shai-Hulud SAP npm Bun Runtime PayloadsUnknownhaltingproblems.com

Affected Software

4 of 4 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
mbtunknown1.2.48Malicious65%haltingproblems.com; StepSecurity
@cap-js/sqliteunknown2.2.2Malicious65%haltingproblems.com; StepSecurity
@cap-js/postgresunknown2.2.2Malicious65%haltingproblems.com; StepSecurity
@cap-js/db-serviceunknown2.10.1Malicious65%haltingproblems.com; StepSecurity

IOC Clipboard

22 IOCs
domainapi.github.com
command/proc/{pid}/mem
urlhttps://github.com/oven-sh/bun/releases/download/bun-v1.3.13/
domaingithub.com
file_path.vscode/tasks.json
commandgh auth token
file_path.claude/settings.json
domainregistry.npmjs.org
file_pathsetup.mjs
commandnode setup.mjs
file_pathexecution.js
file_path.github/workflows/format-check.yml
hash4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34
hash80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac
hash6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95
commandbun execution.js
network_patternA Mini Shai-Hulud has Appeared
network_patternsardaukar-
network_patternmentat-
network_patternfremen-
commandRunner.Worker
urlhttps://github.com/search?q=%22A+Mini+Shai-Hulud+has+Appeared%22&type=repositories

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes this scope contain package, workflow, process, filesystem, or network indicators associated with Mini Shai-Hulud SAP npm Bun Runtime Payloads?scripts/local_repository_and_exported_telemetry_scope.pyhaltingproblems.com

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does this scope contain package, workflow, process, filesystem, or network indicators associated with Mini Shai-Hulud SAP npm Bun Runtime Payloads?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.pyPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = Path(sys.argv[1]).resolve() if len(sys.argv) > 1 else Path('.').resolve()
OUT = Path(os.environ.get('OUT', 'hp-mini-shai-hulud-sap-npm-bun-runtime-scope'))
OUT.mkdir(parents=True, exist_ok=True)

PACKAGES = ["mbt", "@cap-js/sqlite", "@cap-js/postgres", "@cap-js/db-service"]
PACKAGE_VERSIONS = ["mbt@1.2.48", "@cap-js/sqlite@2.2.2", "@cap-js/postgres@2.2.2", "@cap-js/db-service@2.10.1"]
FILES = ["setup.mjs", "execution.js", ".vscode/tasks.json", ".claude/settings.json", ".github/workflows/format-check.yml"]
HASHES = ["4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34", "80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac", "6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95"]
DOMAINS = ["api.github.com", "github.com", "registry.npmjs.org"]
URLS = ["https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/", "https://github.com/search?q=%22A+Mini+Shai-Hulud+has+Appeared%22&type=repositories"]
IPS = []
PROCESS_PATTERNS = ["Runner.Worker", "/proc/{pid}/mem", "node setup.mjs", "bun execution.js", "gh auth token"]
NETWORK_PATTERNS = ["A Mini Shai-Hulud has Appeared", "sardaukar-", "mentat-", "fremen-"]

def read_text(path: Path) -> str:
    try:
        return path.read_text(encoding="utf-8", errors="ignore")
    except Exception as exc:
        return f"__READ_ERROR__:{path}:{exc}"

def scan_tree(base: Path, indicators: set[str]) -> list[str]:
    matches = []
    skip = {".git", "node_modules", "vendor", "dist", ".venv", "__pycache__"}
    for current_root, dirs, files in os.walk(base):
        dirs[:] = [d for d in dirs if d not in skip]
        for name in files:
            path = Path(current_root) / name
            text = read_text(path)
            for indicator in indicators:
                if indicator and indicator in text:
                    matches.append(f"{path}: found {indicator!r}")
    return matches

indicators = set()
for group in [PACKAGES, PACKAGE_VERSIONS, FILES, HASHES, DOMAINS, URLS, IPS, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    indicators.update(group)

(OUT / "indicators.txt").write_text("\n".join(sorted(indicators)) + "\n", encoding="utf-8")
matches = scan_tree(ROOT, indicators)
(OUT / "matches.txt").write_text("\n".join(matches) + ("\n" if matches else ""), encoding="utf-8")
print(f"[+] wrote {len(indicators)} selectors and {len(matches)} matches under {OUT}")

Provenance & Sources

2 of 2 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
haltingproblems.comBlog80%1StepSecurity described a Mini Shai-Hulud npm campaign against SAP-related packages where preinstall hooks downloaded Bun, launched an obfuscated payload, scraped runner memory, created public GitHub dead-drop repositories, and attempted developer-workstation persistence.
StepSecuritySecurity Researcher95%1StepSecurity described a Mini Shai-Hulud npm campaign against SAP-related packages where preinstall hooks downloaded Bun, launched an obfuscated payload, scraped runner memory, created public GitHub dead-drop repositories, and attempted developer-workstation persistence.