Many legitimate SAP npm packages were compromised in what is believed to be a TeamPCP supply chain attack to steal credentials and authentication tokens from developer systems.
Security researchers report that the compromise affected four packages, with versions now withdrawn from NPM:
- @cap-js/sqlite – v2.2.2
- @cap-js/postgres – v2.2.2
- @cap-js/db-service – v2.10.1
- mbt – v1.2.48
These packages support SAP’s Cloud Application Programming Model (CAP) and Cloud MTA, which are commonly used in enterprise development.
According to new reports by Aikido and Socket, the compromised packages have been modified to include a malicious ‘preinstall’ script that runs automatically when an npm package is installed.
This script introduces a loader named setup.mjs that downloads the Bun JavaScript runtime from GitHub and uses it to perform a more obfuscated execution.js loading.
The payload is an information stealer used to steal various credentials from both developer machines and CI/CD environments, including:
- npm and GitHub authentication tokens
- SSH keys and developer credentials
- Cloud certification for AWS, Azure, and Google Cloud
- Kubernetes configuration and secrets
- Secrets of CI/CD pipelines and environmental flexibility
The malware also tries to extract secrets directly from the CI runner’s memory, similar to how TeamPCP extracted credentials in previous supply chain attacks.
“For CI runners, the payload executes an embedded Python script that reads /proc/
“This secret memory scanner is similar to the one documented in the Bitwarden and Checkmarx incident.”
Once the data is collected, it is encrypted and uploaded to public GitHub repositories under the victim’s account. These archives include the description, “Mini Shai-Hulud Appears”, which is also similar to the thread “Shai-Hulud: The Third Coming” seen in the Bitwarden supply chain attack.
Source: Aikido
The malware also relies on GitHub searches as a way to dump tokens and gain more access.
“The malware searches for GitHub commits in this thread and uses the same commit messages as the crash token,” Aikido explained.
“Commit messages related to OhNoWhatsGoingOnWithGitHub:
Similar to previous attacks, the payload used includes code to self-distribute to other packages.
It uses stolen npm or GitHub credentials, tries to modify other packages and repositories it gains access to, and injects similar malicious code to spread further.
The researchers linked this attack with confidence to the TeamPCP threat actors, who used the same code and tactics in previous supply chain attacks against Trivy, Checkmarx, and Bitwarden.
While it is unclear how the threat actors compromised SAP’s npm publishing process, Security Engineer Adnan Khan reports that the NPM token may have been exposed through a poorly configured CircleCI function.
BleepingComputer contacted SAP to learn how the npm packages were compromised, but did not receive a response at the time of publication.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
