OSS
Mini Shai-Hulud Supply Chain Attack Targets SAP npm Ecosystem — 570,000 Weekly Downloads Compromised Across Four Packages
A new wave of the Shai-Hulud self-replicating npm worm dubbed 'Mini Shai-Hulud' launched April 29, 2026, compromising four packages in SAP's Cloud Application Programming Model and multitarget application build toolchain with a combined 570,000 weekly downloads. The original Shai-Hulud (September 2025) automated the compromise and redistribution of malicious packages; this variant specifically targets enterprise SAP developer environments. Unit42 at Palo Alto Networks documented the attack, noting it marks the shift from nuisance-level npm attacks to high-consequence threats affecting enterprise supply chains.
↳ Follow the thread