Severity: HIGH | Affected Sectors: Finance, Government, Telecom, Critical Infrastructure | Region: Kenya, Ethiopia, Somalia, Uganda, Tanzania, Rwanda

The Threat

A coordinated supply chain attack campaign - identified by researchers at Aikido Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz - has compromised multiple SAP-related npm packages with credential-stealing malware. The threat actor group, calling itself "mini Shai-H," has deliberately targeted packages that developers use when building or extending SAP environments, meaning the attack reaches victims through trusted software dependencies, not direct intrusion.

This is not a theoretical vulnerability. The malicious packages were actively published to the npm registry - the world's largest JavaScript package repository - and are designed to silently harvest credentials, API keys, and environment variables from any system where the compromised packages are installed or executed.

SAP is one of the most widely deployed enterprise resource planning (ERP) platforms across East Africa's banking sector, government ministries, and large enterprises. Any developer or DevOps team that has recently installed or updated SAP-adjacent npm dependencies must treat their environment as potentially compromised until verified otherwise.

Impact Assessment for East African Organizations

In Kenya alone, major commercial banks, the Kenya Revenue Authority, several county governments, and large telecoms rely on SAP for financial management, HR, and supply chain operations. In Ethiopia, the Ethiopian Revenue and Customs Authority and state-owned enterprises including Ethiopian Airlines and Ethio Telecom are known SAP users. Across the Horn of Africa, SAP-powered systems process payroll, public expenditure, and customer billing at scale.

A successful credential-theft attack against these environments could expose:

  • SAP administrative credentials - giving attackers full control over ERP systems that hold payroll, supplier payments, and financial records
  • API keys and service account tokens - enabling lateral movement into cloud infrastructure, databases, and connected government systems
  • Environment variables - which frequently contain database connection strings, third-party integration secrets, and internal network addresses
  • Developer workstation access - allowing attackers to pivot from a single compromised laptop into production systems

Under the Kenya Data Protection Act 2019 and the CBK Cybersecurity Guidelines, financial institutions that suffer a breach through a known, unpatched vector face both regulatory penalties and mandatory disclosure obligations. A supply chain breach of this nature - originating in development tooling - is particularly difficult to detect through conventional perimeter monitoring, making the window of exposure longer and the blast radius wider.

Immediate Actions - Do These Now

  • Audit your npm dependency tree immediately. Run npm audit and cross-reference all SAP-related packages against the Indicators of Compromise (IoCs) published by Aikido Security, Socket, and Wiz. Flag any package installed or updated in the past 60 days for review.
  • Rotate all credentials and secrets stored in environment variables on any system where npm packages are executed - including CI/CD pipelines, developer workstations, and build servers. Do not wait to confirm compromise; rotate first.
  • Isolate and forensically review CI/CD pipelines. Build systems are a primary infection vector in supply chain attacks. Treat your pipeline environment as untrusted until a clean-state rebuild has been completed.
  • Enable runtime secret scanning. Tools such as GitGuardian, Trufflehog, or AWS Secrets Manager audit logs should be reviewed for any anomalous outbound access to credential data in the past 30 to 90 days.
  • Alert your SAP Basis and security teams to monitor for unusual administrative logins, permission escalations, or configuration changes within SAP systems, particularly those with web-facing API integrations.

DRONGO Recommendation

Supply chain attacks bypass traditional perimeter defenses entirely - they enter through the tools your developers trust. DRONGO's Software Composition Analysis (SCA) and DevSecOps advisory services help East African organizations build dependency verification, secret scanning, and pipeline hardening into every stage of the development lifecycle, before attackers exploit the gap.

Is your organization protected? Request a free security assessment.