The npm Ecosystem Has Crossed a Dangerous Threshold

Software supply chain security has never been more consequential. In September 2025, the Shai-Hulud worm fundamentally changed the threat landscape for the npm registry — automating the compromise and redistribution of malicious packages at a scale previously unseen. What once looked like isolated nuisance attacks has become a systematic, infrastructure-level campaign by sophisticated threat actors exploiting the trust baked into modern software development. Unit 42 researchers have been tracking this acceleration in real time, and what they've found should concern every developer and security team relying on open-source JavaScript dependencies.

From Typosquatting to Wormable Infrastructure Compromise

Before Shai-Hulud, the typical npm attack was opportunistic: publish a package with a name one character off from a popular library, wait for a developer to make a typo during installation, and harvest whatever credentials were accessible. Damaging, but contained. The post-September 2025 era looks entirely different. Unit 42 has identified three core shifts in adversary tactics, techniques, and procedures (TTPs) that define the new normal:

  • Wormable propagation: Modern payloads prioritize the theft of npm tokens and GitHub Personal Access Tokens (PATs). Once stolen, these credentials are used to automatically infect and republish legitimate packages under the victim's trusted identity — as demonstrated in the March 2026 Axios compromise.
  • CI/CD pipeline persistence: Attackers are no longer content with a single data-theft event. They embed themselves into continuous integration and continuous delivery pipelines, establishing long-term, difficult-to-detect footholds inside enterprise environments.
  • Multi-stage sleeper payloads: Following the September 2025 template, current attacks frequently deploy dormant "sleeper" dependencies that only activate under specific environmental conditions — a deliberate design choice to evade automated package scanners.

April 2026: Two Active Campaigns Raise the Stakes

April 2026 brought two distinct campaign waves, both attributed to the same threat actor lineage and both building directly on the Shai-Hulud codebase.

Shai-Hulud: The Third Coming (April 22, 2026)

The first wave, which began April 22, 2026, introduced a malicious npm package published as @bitwarden/cli version 2026.4.0. The package convincingly impersonates the legitimate Bitwarden command-line interface password manager — a tool trusted by security-conscious developers worldwide. Upon installation, a multi-stage payload executes automatically, performing three actions in sequence: stealing credentials from cloud providers, CI/CD systems, and developer workstations; backdooring every npm package the victim has publish rights to; and self-propagating across the victim's dependency graph.

Researchers noted that public GitHub repositories tied to this campaign contained the embedded string "Shai-Hulud: The Third Coming" — a deliberate marker likely intended as both a signature and a provocation. The threat actor, attributed to a group called TeamPCP, deployed the same payload across multiple Checkmarx distribution channels simultaneously, targeting Docker Hub images, GitHub Actions workflows, and VS Code extensions to maximize the blast radius of each compromised set of developer credentials.

Mini Shai-Hulud: Targeting the SAP Developer Ecosystem (April 29, 2026)

Less than a week later, a second wave emerged. Dubbed Mini Shai-Hulud, this campaign pivoted to target the SAP developer ecosystem through four compromised npm packages:

  • @cap-js/sqlite@2.2.2
  • @cap-js/postgres@2.2.2
  • @cap-js/db-service@2.10.1
  • mbt@1.2.48

These are not obscure packages. Together they account for approximately 570,000 weekly downloads, with @cap-js/sqlite and @cap-js/db-service pulling around 250,000 and 260,000 downloads per week respectively. All four are core components of SAP's Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain — placing enterprise developers and their CI/CD pipelines squarely in the crosshairs.

How the Attack Mechanism Works

The technical execution of Mini Shai-Hulud is precise and largely automated. Each compromised package received two new files — setup.mjs and execution.js — alongside a modified package.json that adds a preinstall lifecycle hook:

"preinstall": "node setup.mjs"

This single line means the malicious code executes before the installation process completes — before a developer has any chance to review what just ran on their machine or in their pipeline.

The setup.mjs bootstrapper begins by detecting the host operating system and architecture. It then downloads the Bun JavaScript runtime (v1.3.13) from official GitHub releases for the Oven-sh project, extracts it to a temporary directory, and immediately uses it to execute execution.js — a technique that helps the payload evade Node.js-specific detection heuristics.

The final payload, execution.js, is an 11.7 MB single-file obfuscated credential stealer and propagation framework. It employs a custom string-scrambling layer labeled ctf-scramble-v2 to resist static analysis, harvests cloud credentials, GitHub tokens, and deployment secrets, and then uses those credentials to continue the worm's spread through the victim's accessible package ecosystem.

Why This Threat Demands Immediate Attention

Several factors make the post-Shai-Hulud npm threat landscape particularly dangerous for enterprise organizations:

  • Trusted package impersonation: Targeting @bitwarden/cli and SAP CAP packages means attackers are weaponizing tools that security teams and enterprise developers explicitly trust.
  • Preinstall execution: The lifecycle hook technique gives defenders almost no window to inspect before the payload runs.
  • Cross-campaign code reuse: Unit 42 has confirmed that Mini Shai-Hulud uses the same toolchain, obfuscation methods, and propagation logic as the April 22 Bitwarden campaign — indicating a well-resourced actor with a reusable attack framework, not opportunistic one-off incidents.
  • Enterprise CI/CD focus: By targeting SAP CAP and MTA build tooling, attackers are explicitly prioritizing environments with access to production cloud credentials and deployment pipelines.

Mitigations and Defensive Recommendations

Organizations that rely on npm packages — particularly those using SAP CAP, Bitwarden CLI, or any package with broad developer adoption — should treat this as an active threat requiring immediate defensive action. Key mitigations include:

  • Audit installed package versions immediately: Check for the specific compromised versions listed above and downgrade or remove them until clean versions are verified.
  • Rotate all npm tokens and GitHub PATs: Assume any developer who ran npm install on an affected package may have had credentials exfiltrated. Token rotation should be treated as mandatory, not precautionary.
  • Purge package caches: Malicious packages cached locally or in cloud-based artifact repositories (Artifactory, CodeArtifact, GitHub Packages) must be explicitly removed — a clean reinstall will not help if the cache serves the compromised version.
  • Enforce package integrity verification: Use npm audit, lockfile integrity checks, and where possible, private registry proxies that enforce allowlisting of approved package versions.
  • Monitor CI/CD pipeline configurations: Look for unexpected additions to workflow files, new environment variable references, or modified build scripts that could indicate an established foothold.
  • Restrict preinstall script execution: Consider using --ignore-scripts in automated CI/CD environments where lifecycle scripts are not required.

Conclusion: The npm Threat Landscape Has Permanently Changed

The Shai-Hulud campaigns of 2025 and 2026 are not isolated incidents — they are the leading edge of a structural shift in how adversaries exploit open-source ecosystems. The npm registry's combination of massive developer adoption, automated trust propagation, and deep integration into enterprise CI/CD pipelines makes it an exceptionally high-value attack surface. Unit 42's ongoing cross-campaign correlation work confirms that the same infrastructure and code is being reused and refined across attacks, pointing to organized threat actors with long-term operational goals rather than opportunistic script kiddies. For defenders, the message is clear: treating npm supply chain risk as a theoretical concern is no longer tenable. Active monitoring, rapid credential rotation, and hardened pipeline configurations are now foundational requirements for any organization that ships software built on JavaScript dependencies.