Skip to content
Tech News
← Back to articles

Official SAP npm packages compromised to steal credentials

2026-04-29 | original
read original get SAP Security Toolkit → more articles
Why This Matters

The compromise of official SAP npm packages highlights a significant supply-chain security vulnerability that can impact enterprise development environments. By injecting malicious scripts, attackers can steal sensitive credentials and cloud secrets, posing risks to organizations' data integrity and security. This incident underscores the importance of rigorous package verification and security practices in the tech industry and among developers.

Key Takeaways

Multiple official SAP npm packages were compromised in what is believed to be a TeamPCP supply-chain attack to steal credentials and authentication tokens from developers' systems.

Security researchers report that the compromise impacted four packages, with the versions now deprecated on NPM:

@cap-js/sqlite – v2.2.2

@cap-js/postgres – v2.2.2

@cap-js/db-service – v2.10.1

mbt – v1.2.48

These packages support SAP's Cloud Application Programming Model (CAP) and Cloud MTA, which are commonly used in enterprise development.

According to new reports by Aikido and Socket, the compromised packages were modified to include a malicious 'preinstall' script that executes automatically when the npm package is installed.

This script launches a loader named setup.mjs that downloads the Bun JavaScript runtime from GitHub and uses it to execute a heavily obfuscated execution.js payload.

The payload is an information-stealer used to steal a wide variety of credentials from both developer machines and CI/CD environments, including:

... continue reading

Explore topics: sap npm packages teampcp attack cloud application programming model github bun runtime ci/cd secrets

© 2026 GoKawiil

About | Editorial Policy | Contact