Malicious versions of legitimate SAP ecosystem packages (e.g., @cap-js/sqlite, @cap-js/postgres) were created by modifying them to include a preinstall script that executes setup.mjs automatically during npm install. This script downloads the Bun runtime and executes an obfuscated payload (execution.js), enabling attacker-controlled code execution prior to package installation completion.
When executed, the second-stage payload is a credential stealer and propagation framework designed to target both developer environments and CI/CD pipelines. It collects sensitive data including GitHub tokens, npm credentials, cloud secrets (AWS, Azure, GCP), Kubernetes tokens, and GitHub Actions secrets—leveraging advanced techniques such as extracting secrets from runner memory. Exfiltration occurs via public GitHub repositories, where it posts encrypted payloads. Additionally, the malware includes propagation logic to infect additional repositories and package distributions.
During its initial setup, the malware performs a system check to determine if the compromised machine is configured for the Russian language. It does this by inspecting both the system's date/time locale settings and its environment language variables. If any of these values begin with 'ru', the payload abruptly terminates itself, ensuring no data is exfiltrated from Russian-speaking systems.