https://feed.craftedsignal.io/tags/sap/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 14:27:36 +0000https://feed.craftedsignal.io/briefs/2026-04-mini-shai-hulud/Thu, 30 Apr 2026 14:27:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mini-shai-hulud/The Mini Shai-Hulud campaign injected malicious code into SAP NPM packages, targeting credentials and cloud secrets related to SAP Cloud Application Programming (CAP) and SAP cloud deployment workflows, exfiltrating data through public GitHub repositories.The Mini Shai-Hulud campaign, active as of April 2026, targets SAP NPM packages used in the SAP Cloud Application Programming (CAP) ecosystem and SAP cloud deployment workflows. Four package versions were compromised: mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, and @cap-js/sqlite 2.2.2. These packages, with over 500,000 combined weekly downloads, are essential for SAP’s Cloud MTA Build Tool and database services for CAP software. The attackers injected a preinstall script that fetches and executes a Bun binary, bypassing security monitoring. The malicious versions were available for a short window of 2-4 hours before being unpublished and superseded by clean versions. Wiz attributes this activity to TeamPCP due to a shared RSA public key used to encrypt the exfiltrated secrets.

Attack Chain

1. The attacker compromises an NPM token, possibly exposed through CircleCI.
2. The attacker injects a malicious preinstall script into the targeted SAP NPM packages (mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite).
3. When a user installs the compromised package, the preinstall script executes.
4. The script fetches a Bun ZIP archive from a GitHub repository.
5. The script extracts the Bun archive and executes the included Bun binary.
6. The Bun binary steals local credentials, GitHub and NPM tokens, AWS, Azure, GCP, GitHub Action, and Kubernetes secrets.
7. The stolen data is exfiltrated to public GitHub repositories with the description “A Mini Shai-Hulud has Appeared”.
8. The malware propagates by modifying package tarballs, updating versions, repackaging them, and publishing them using stolen GitHub Actions tokens.

Impact

The Mini Shai-Hulud attack poses a significant threat to developers and organizations using SAP CAP, a framework for S/4HANA extensions, Fiori app backends, MTAs, and integration flows. With over 500,000 weekly downloads of the affected packages, a large number of systems could have been affected. Successful exploitation allows attackers to steal sensitive credentials and cloud secrets, potentially leading to unauthorized access to critical SAP systems, cloud infrastructure, and source code repositories. This access could be used for further malicious activities, including data breaches, financial fraud, and supply chain compromise.

Recommendation

• Organizations using SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should immediately check if they installed the malicious package versions (mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, @cap-js/sqlite 2.2.2) during the exposure window.
• Implement network monitoring rules to detect connections to unusual GitHub repositories created to host stolen data. Monitor for repositories with the description “A Mini Shai-Hulud has Appeared”.
• Monitor process execution for the execution of bun binaries in unusual or unexpected locations to identify systems where compromised packages were installed. Deploy the Sigma rule Detect Bun Execution From NPM Package to detect this behavior.

]]>criticalthreatsupply-chainnpmsapcredential-thefthttps://feed.craftedsignal.io/briefs/2026-04-sap-sql-injection/Tue, 14 Apr 2026 00:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-sap-sql-injection/CVE-2026-27681 describes an insufficient authorization check vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse that allows authenticated users to execute crafted SQL statements, leading to unauthorized data access, modification, and deletion.CVE-2026-27681 highlights a critical security flaw within SAP Business Planning and Consolidation and SAP Business Warehouse. This vulnerability stems from insufficient authorization checks, which allows an authenticated user to inject and execute arbitrary SQL commands. The vulnerability was published on 2026-04-13. An attacker can leverage this flaw to perform unauthorized actions such as reading sensitive data, modifying critical system configurations, and deleting essential information. The successful exploitation of CVE-2026-27681 can lead to significant disruption of business operations, data breaches, and potential financial losses. The scope of impact is broad, affecting organizations relying on these SAP solutions for their planning, consolidation, and data warehousing needs. Defenders should prioritize patching and mitigating this vulnerability to prevent potential exploitation.

Attack Chain

1. An attacker gains valid credentials for SAP Business Planning and Consolidation or SAP Business Warehouse.
2. The attacker identifies input fields or interfaces within the SAP application that are vulnerable to SQL injection.
3. The attacker crafts malicious SQL statements designed to bypass authorization checks.
4. The attacker injects the crafted SQL statements into the vulnerable input fields or interfaces.
5. The SAP application executes the attacker-supplied SQL statements against the underlying database.
6. The attacker reads sensitive data from database tables, including user credentials, financial records, or proprietary information.
7. The attacker modifies existing data within the database to manipulate system configurations, grant elevated privileges, or disrupt business processes.
8. The attacker deletes critical database records, causing data loss, system instability, and denial of service.

Impact

Successful exploitation of CVE-2026-27681 can have severe consequences for affected organizations. The ability to read, modify, and delete database data can lead to data breaches, financial fraud, and disruption of critical business processes. The vulnerability allows attackers to gain unauthorized access to sensitive information, manipulate system configurations, and cause data loss. This can result in significant financial losses, reputational damage, and regulatory penalties. Organizations relying on SAP Business Planning and Consolidation and SAP Business Warehouse should prioritize patching this vulnerability to prevent potential exploitation.

Recommendation

• Apply the security patch provided by SAP SE as described in SAP Note 3719353 to remediate CVE-2026-27681 immediately.
• Monitor SAP application logs for suspicious SQL queries or unauthorized database access attempts to detect potential exploitation of CVE-2026-27681.
• Implement strong input validation and sanitization measures to prevent SQL injection attacks in SAP Business Planning and Consolidation and SAP Business Warehouse.
• Deploy the Sigma rule “Detect Suspicious SAP SQL Injection Attempts” to identify potential exploitation attempts.

]]>criticaladvisorycve-2026-27681sql-injectionsap