On April 29th, Aikido researchers detected multiple compromised Node.js packages in SAP's namespace today. The malware adapts to CI environments, steals GitHub personal access tokens, and uses them to self-propagate—a pattern consistent with recent supply-chain attacks.

Update: May 12, 2026

Between May 11th and May 12th, a new phase of this attack was identified with numerous compromised NPM. While the big picture of the attack remains unchanged, the methodology shifted slightly.

While the original attack focused on a limited number of enterprise-ready packages, this new iteration broadens the scope by targeting more than 300 packages in a single wave. Those packages are spread across various namespaces, the most notable ones being @opensearch-project/opensearch and @mistralai/mistralai.

The OpenSearch NPM package total of 1.3M weekly downloads. Its compromise is currently the most recent in this attack wave and occurred at 00:39 am GMT. The malicious versions were removed by 10:45 am GMT. Affected versions are 3.5.3, 3.8.0, and 3.7.0.

The Mistral package is downloaded more than 2M times per week. The compromise occurred on May 11th, around 10:30 pm GMT. The malicious package versions 2.2.2, 2.2.3, and 2.2.4 were removed by May 11th, 11:00 pm GMT.

It is worth noting that both those packages were compromised as a result of the supply chain attack rather than directly.

The most interesting point about this attack is that most of the affected packages relied on trusted publishing to protect their NPM package publication. However, because the malware specifically targeted CI/CD environments, it could exploit the OIDC integration to bypass this protection.

This wave of the attack used the Session secure messaging software as the main exfiltration channel.

How it works

  1. Credential harvesting: The payload reads CI environment variables and adjusts its behavior accordingly.
  2. Token exfiltration: If a GitHub personal access token (ghp_) is found locally, the malware exfiltrates encrypted secrets to the corresponding GitHub account.
  3. Fallback mechanism: If no token is present, the malware scans commit messages for the string 'OhNoWhatsGoingOnWithGitHub:', then decodes a double-base64-encoded payload hidden inside, and uses it to exfiltrate the encrypted secrets to this account.

The RSA keys used to encrypt the exfiltrated secrets are the same as the ones used last week in the @bitwarden/cli attack.

Exfiltration infrastructure


GitGuardian identified 7 commits containing exposed ghp_ tokens—all remain valid and active at 16h46 EST. The attacker used the stolen tokens to create public repositories, each named with Dune-themed keywords. Inside each repository:

  • README.md file containing the string "A Mini Shai-Hulud has Appeared"
  • results/ directory with a JSON file holding the encrypted payload, protected by a 4096-bit RSA key

Campaign Footprint

Our telemetry shows the attack's full scope:

  • 23 GitHub accounts used for exfiltration
  • 971 public repositories created with stolen tokens
  • Top 6 accounts created 936 repos (96%) — these are the accounts tied to the 7 compromised tokens