TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack

TeamPCP conducted a supply-chain campaign (dubbed "Mini Shai-Hulud") by injecting malicious preinstall scripts into four SAP-related npm packages (@cap-js/sqlite v2.2.2, @cap-js/postgres v2.2.2, @cap-js/db-service v2.10.1, and mbt v1.2.48). The multi-stage payload harvests GitHub, npm, Kubernetes, CI/CD, and cloud credentials, encrypts and exfiltrates them to attacker-controlled GitHub repositories, and contains propagation code to compromise additional packages and downstream organizations; packages were removed after detection, but hundreds of thousands of downloads and exposure risk make the incident high impact.