Chainguard artifacts safe from npm supply chain attack targeting SAP developer dependencies with 2.25M+ monthly downloads

Chainguard customers using our JavaScript Libraries and Container images are unaffected by today’s Shai-Hulud-style worm currently propagating across npm. The attack compromised four npm dependencies in the SAP Cloud Application Programming Model with a combined 2.25M monthly downloads. Compromised repositories are being created on GitHub in real time as stolen credentials are exfiltrated and used to create new private repos with leaked keys. As of this writing, more than 1,200 repos have been affected, and the tally continues to grow.

Customers who pulled any of the below versions of npm packages from the npm registry should investigate for a possible compromise:

• @cap-js/sqlite@2.2.2 (~1M downloads/month)

• @cap-js/db-service@2.10.1 (~1M downloads/month)

• mbt@1.2.48 (180K downloads/month)

• @cap-js/postgres@2.2.2 (30K+ downloads/month)

The malicious packages introduce a preinstall: node setup.mjs lifecycle hook in the upstream tarball. This script downloads the Bun runtime and uses it to stage a credential harvester targeting GitHub tokens, npm tokens, and other developer secrets. The payload execution flow is indirect. By using Bun rather than Node.js and hiding the staging logic in a preinstall hook, the attackers bypass many existing security controls that focus on postinstall scripts and Node-native execution.

The attack includes a hardcoded payload description: “A Mini Shai-Hulud has Appeared.” This matches the naming convention from the earlier Shai-Hulud npm worm campaign. However, there is no confirmed attribution to the attack. The overlapping technique (preinstall hooks, credential harvesting) and the thematic naming suggest a possible connection, but could also indicate a copycat operation.

Why Chainguard customers were protected

Chainguard Libraries for JavaScript never built or served any of the malicious versions because of our policy not to build packages with install-time scripts. When the Chainguard Factory attempted to rebuild the packages, the system detected the preinstall hook and terminated the workflow before any package code executed.

This is the same architectural protection that kept Chainguard customers safe during the Shai-Hulud npm worm in late 2025, CanisterWorm in March 2026, and the Namastex campaign from last week. Chainguard does not execute arbitrary lifecycle hooks from upstream packages. Only 4% of verified JavaScript packages rely on install-time scripts. To date, install-time scripts have served as a key attack vector for spreading malicious code at the moment of package consumption.

Available now in the Chainguard Repository are 38 unaffected versions of @cap-js/sqlite; 62 unaffected versions of @cap-js/db-service; and 88 unaffected versions of mbt.

What to do if you're not a Chainguard customer

If you installed any of the affected package versions, uninstall immediately and pin to unaffected versions:

• @cap-js/sqlite@2.2.1

• @cap-js/db-service@2.10.0

• mbt@1.2.47

• @cap-js/postgres@2.2.1

If you had downloaded any of the malicious packages, you should consider your environment compromised. Rotate all credentials, API keys, SSH keys, GitHub tokens, and npm tokens accessible from that machine. Given that the attack creates private repositories on GitHub using stolen credentials, you should search your organization for repositories created on or after April 29, 2026, that you don’t recognize. You should also inspect your system for any artifacts related to the Bun runtime that weren’t intentionally installed.

Finally, as a way to ensure that you’re safe from the inevitable next attack, get protected now with Chainguard Libraries for JavaScript. If you're not yet a Chainguard customer, reach out to learn how we build malware resistance into our build process, or get started with Chainguard Containers and Libraries for free today.