top of page
perceptive_background_267k.jpg

Official SAP npm packages compromised to steal credentials

Published:

29 April 2026 at 22:43:44

Alert date:

29 April 2026 at 23:01:57

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Enterprise Applications

Multiple official SAP npm packages were compromised in a suspected TeamPCP supply-chain attack. The attack was designed to steal credentials and authentication tokens from developers' systems. This represents a significant supply chain compromise affecting official packages from a major enterprise software vendor. The attack targets the JavaScript/Node.js development ecosystem through npm packages. Developers using SAP's official npm packages may have had their credentials compromised. This is part of a broader trend of supply chain attacks targeting package repositories.

Technical details

Compromised npm packages contained malicious 'preinstall' script that executes automatically during installation. Script launches setup.mjs loader that downloads Bun JavaScript runtime from GitHub and executes heavily obfuscated execution.js payload. Payload is an information stealer targeting npm/GitHub tokens, SSH keys, cloud credentials (AWS, Azure, Google Cloud), Kubernetes configs, and CI/CD secrets. On CI runners, embedded Python script reads /proc/<pid>/maps and /proc/<pid>/mem from Runner.Worker process to extract secrets directly from memory. Stolen data is encrypted and uploaded to public GitHub repos under victim's account. Uses GitHub commit searches as dead-drop mechanism with pattern 'OhNoWhatsGoingOnWithGitHub:<base64>'. Includes self-propagation code to modify other packages using stolen credentials.

Mitigation steps:

Affected package versions have been deprecated on NPM. Organizations should audit their dependencies and update to secure versions of the affected SAP npm packages. Monitor for unauthorized GitHub repositories created under organizational accounts with suspicious descriptions. Review CI/CD pipeline configurations and rotate any potentially compromised tokens or credentials.

Affected products:

@cap-js/sqlite v2.2.2
@cap-js/postgres v2.2.2
@cap-js/db-service v2.10.1
mbt v1.2.48
SAP Cloud Application Programming Model (CAP)
SAP Cloud MTA

Related links:

https://www.aikido.dev/blog/mini-shai-hulud-has-appeared
https://socket.dev/blog/sap-cap-npm-packages-supply-chain-attack
https://www.bleepingcomputer.com/news/security/trivy-vulnerability-scanner-breach-pushed-infostealer-via-github-actions/
https://www.bleepingcomputer.com/news/security/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/
https://x.com/adnanthekhan/status/2049490014183026721

Related CVE's:

Related threat actors:

IOC's:

setup.mjs, execution.js, GitHub repository description: 'A Mini Shai-Hulud has Appeared', Commit message pattern: 'OhNoWhatsGoingOnWithGitHub:<base64>', String pattern: 'Shai-Hulud: The Third Coming'

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page