SAP npm packages poisoned with credential-stealing malware in "Mini Shai-Hulud" attack. Malicious preinstall hooks harvest GitHub tokens, cloud keys and CI/CD secrets. Attackers weaponise AI agent configs for persistence, turning Claude and VS Code settings into execution paths.
Medtronic says a third party accessed data in corporate IT systems, while ShinyHunters claims more than nine million records were stolen. The incident did not disrupt products or patient care, but it exposes the widening risk around corporate IT, identity data and medical technology supply chains.
Australia’s A$25bn AI wager, Bezos’s leap into “physical AI” and Musk’s push to shift data centres into orbit turned this week into a defining moment in the AI global industrial contest, with the Global South emerging as both proving ground and prize in the new AI steel age.
SAP npm packages poisoned with credential-stealing malware in "Mini Shai-Hulud" attack. Malicious preinstall hooks harvest GitHub tokens, cloud keys and CI/CD secrets. Attackers weaponise AI agent configs for persistence, turning Claude and VS Code settings into execution paths.
Cyber analysts and media are in a frenzy reporting this incident. A supply-chain attack has struck SAP's JavaScript ecosystem, with several npm packages briefly carrying credential-stealing malware. Security teams have dubbed the campaign "Mini Shai-Hulud." It targeted packages used for SAP Cloud Application Programming Model and Cloud MTA builds: mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2.
The shift here is critical: attackers have moved from production servers to the developer layer itself. Multiple analyst reports confirm that poisoned releases used malicious preinstall hooks. These fired during npm install, pulled down the Bun runtime, then ran obfuscated code to harvest GitHub tokens, npm credentials, GitHub Actions secrets, cloud keys for AWS, Azure and GCP, and Kubernetes tokens.
This follows patterns Cyber News Centre has tracked closely. Recent coverage of the Vercel OAuth breach and the ShinyHunters Salesforce attack both showed how trusted cloud identities become breach amplifiers. Now that same logic reaches into package installation and build automation, where one dependency update can hit developer machines, source repos and deployment pipelines before perimeter tools register anything amiss.
The target is the operational core of modern development: workstations, package managers, GitHub repos, CI/CD runners. A single infected dependency can unlock source code, cloud infrastructure, deployment secrets and package publishing rights.
Industry analysts report the malware exfiltrates encrypted payloads through GitHub repos and tries to spread via compromised tokens. One firm links the activity with medium confidence to TeamPCP, citing technical overlap and consistent targeting of developer environments. The malicious versions lived on npm for just over two hours, 09:55 to 12:14 UTC on 29 April, but automated builds can pull packages within minutes, so window length barely matters.
The persistence mechanism is what's new. Analysts found the malware drops .claude/settings.json and .vscode/tasks.json files, re-triggering execution whenever someone opens the repo in Claude Code or VS Code. Their assessment is blunt: this is among the first supply-chain attacks to weaponise AI coding agent configurations for persistence and propagation. The warning is clear. The next exposure layer isn't just packages, tokens and workflows, but the local config files that tell AI tools and IDEs what to run.
AI is compressing software delivery timelines, and attackers are exploiting that same acceleration. Developers lean on automated dependency updates, AI coding agents, fast installs and continuous deployment. This campaign hijacks those conveniences directly, using IDE and AI-agent configs as persistent footholds.
For enterprises deploying AI-assisted development at scale, the risk sharpens. When AI agents get repo context, terminal access or workflow permissions, an infected repository becomes more than passive code. It becomes an active execution environment. Security teams now need to scrutinise AI agent configs, IDE tasks, repo hooks and local automation policies with the same rigour they apply to build scripts and deployment credentials.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Medtronic says a third party accessed data in corporate IT systems, while ShinyHunters claims more than nine million records were stolen. The incident did not disrupt products or patient care, but it exposes the widening risk around corporate IT, identity data and medical technology supply chains.
Vercel confirms a security incident after a compromised third-party AI tool's OAuth token allowed attackers to pivot into internal systems, exposing environment variables and API keys across its platform.
Anthropic is scrambling to contain fresh questions over its Mythos AI after online users reportedly accessed the ultra‑powerful model through previously mapped pathways, sharpening Pentagon supply chain concerns and spooking markets already on edge about AI‑driven cyber risk
According to Microsoft’s April 2026 Security Update Guide, the company fixed more than 160 vulnerabilities across Windows, Office and core services, including an actively exploited SharePoint zero‑day and a Defender privilege‑escalation flaw.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
