Multiple official SAP npm packages were compromised in what is believed to be a TeamPCP supply-chain attack to steal credentials and authentication tokens from developers’ systems.
Security researchers report that the compromise impacted four packages, with the versions now deprecated on NPM:
- @cap-js/sqlite – v2.2.2
- @cap-js/postgres – v2.2.2
- @cap-js/db-service – v2.10.1
- mbt – v1.2.48
These packages support SAP’s Cloud Application Programming Model (CAP) and Cloud MTA, which are commonly used in enterprise development.
According to new reports by Aikido and Socket, the compromised packages were modified to include a malicious ‘preinstall’ script that executes automatically when the npm package is installed.
This script launches a loader named setup.mjs that downloads the Bun JavaScript runtime from GitHub and uses it to execute a heavily obfuscated execution.js payload.
The payload is an information-stealer used to steal a wide variety of credentials from both developer machines and CI/CD environments, including:
- npm and GitHub authentication tokens
- SSH keys and developer credentials
- Cloud credentials for AWS, Azure, and Google Cloud
- Kubernetes configuration and secrets
- CI/CD pipeline secrets and environment variables
The malware also attempts to extract secrets directly from the CI runner’s memory, similar to how TeamPCP extracted credentials in previous supply-chain attacks.
“On CI runners, the payload executes an embedded Python script that reads /proc/
“This memory scanner for secrets is structurally identical to the one documented in the Bitwarden and Checkmarx incidents.”
Once data is collected, it is encrypted and uploaded to public GitHub repositories under the victim’s account. These repositories include the description, “A Mini Shai-Hulud has Appeared”, which is also similar to the “Shai-Hulud: The Third Coming” string seen in the Bitwarden supply chain attack.
Source: Aikido
The malware also relies on GitHub commit searches as a dead-drop mechanism to retrieve tokens and gain further access.
“The malware searches GitHub commits for this string and uses matching commit messages as a token dead-drop,” explains Aikido.
“Commit messages matching OhNoWhatsGoingOnWithGitHub:
Similar to previous attacks, the deployed payload also includes code to self-propagate to other packages.
Using stolen npm or GitHub credentials, it attempts to modify other packages and repositories it gains access to, and injects the same malicious code to spread further.
Researchers have linked this attack with medium confidence to the TeamPCP threat actors, who used similar code and tactics in previous supply-chain attacks against Trivy, Checkmarx, and Bitwarden.
While it is unclear how the threat actors compromised SAP’s npm publishing process, Security Engineer Adnan Khan reports that an NPM token may have been exposed via a misconfigured CircleCI job.
BleepingComputer contacted SAP to learn how the npm packages were compromised, but did not receive a reply at the time of publication.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
