malware npm

@cap-js/postgres

discovered 2026-04-29

@cap-js/postgres is identified in the SafeDep analysis "Mini Shai Hulud and SAP Compromise". Four SAP npm packages published on April 29, 2026 contain a two-stage credential-stealing payload targeting GitHub tokens, AWS keys, and CI/CD pipelines. The packages share SAP-affiliated maintainers, pointing to a publisher account compromise.

more…

Threat types

credential_stealer data_exfiltration worm

Malicious versions

2.2.2

Campaigns

Mini Shai-Huludattributed-to

Indicators

sha1 0a3dd44d361c34cd9036eeb3f49601160a636648indicates
email cap@sap.comexfiltrates-to
email mob.extrepo.stores@sap.comexfiltrates-to
email claude@users.noreply.github.comexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1528 Steal Application Access Tokenuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1102 Web Serviceuses
ttp T1021 Remote Servicesuses
ttp T1098 Account Manipulationuses

Read the full analysis →