'Mini Shai-Hulud' supply chain attack targets SAP npm packages

On April 29, 2026, researchers reported the 'mini Shai-Hulud' campaign in which compromised npm packages for SAP's Cloud Application Programming Model (CAP) include code to steal credentials, encrypt them, and exfiltrate the data to public GitHub repositories. Maintainers have released updated package versions; organizations are advised to investigate installations of the compromised packages, review GitHub, npm, and cloud activity for exposed credentials, and rotate any potentially affected secrets. Sophos detections referenced include JS/Agent-BMAH and JS/Steal-EAT.