npm

@cap-js/sqlite

@cap-js/sqlite is identified in the SafeDep analysis "Mini Shai Hulud and SAP Compromise". Four SAP npm packages published on April 29, 2026 contain a two-stage credential-stealing payload targeting GitHub tokens, AWS keys, and CI/CD pipelines. The packages share SAP-affiliated maintainers, pointing to a publisher account compromise.

discovered 2026-04-29

Threat types

credential_stealerdata_exfiltrationworm

Malicious versions

2.2.2

Campaigns

Mini Shai-Huludattributed-to

Indicators

sha10a3dd44d361c34cd9036eeb3f49601160a636648indicates
email[email protected]exfiltrates-to
email[email protected]exfiltrates-to
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1528 Steal Application Access Tokenuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1102 Web Serviceuses
ttpT1021 Remote Servicesuses
ttpT1098 Account Manipulationuses

Read the full analysis →