SAP npm packages compromised in credential-stealing att

What Happened

Multiple official SAP npm packages were compromised in a supply-chain attack designed to steal credentials and authentication tokens from developers’ systems. Security researchers at Aikido Security identified malicious versions of the packages, which they attribute to the threat group known as TeamPCP. The compromised packages were published to the npm registry and have since been removed, but may have been downloaded in the interim.

Why It Matters

This incident highlights the growing risk to organizations that depend on public package registries for their software supply chains. SAP-related projects are often used in enterprise environments where developers have access to critical infrastructure, including cloud services, CI/CD pipelines, and production databases. A credential-stealing payload in a developer’s environment could lead to lateral movement, data exfiltration, or further supply-chain compromises. The attack underscores that even official-looking packages from trusted vendors cannot be taken at face value.

Technical Details

The malicious npm packages impersonated legitimate SAP-adjacent libraries, likely using typosquatting or account compromise. Once installed, the malware executed on the developer’s machine and exfiltrated credentials and authentication tokens to attacker-controlled servers. The TeamPCP group has a known track record of targeting npm ecosystems with similar credential-stealing campaigns. No known CVE has been assigned as the attack leverages social engineering and trojanized packages rather than a software vulnerability.

Immediate Risk

The risk is medium for organizations that have SAP engineers or cloud developers downloading npm packages. The compromised packages have been removed from the npm registry, but any developer who installed them during the exposure window may have their credentials and tokens stolen. This could affect SAP cloud services, GitHub repositories, and internal authentication systems. Organizations should immediately audit their npm dependency trees for any suspicious SAP-named packages and rotate credentials for affected developers.

Security Insight

The sophistication of this attack lies not in its code but in its targeting: SAP developers, by the nature of their work, often hold keys to enterprise resource planning (ERP) systems and cloud infrastructure. Unlike generic malware that casts a wide net, this campaign is surgically aimed at a high-value professional demographic. The defensive takeaway is that package registry trust models are broken; organizations should implement dependency pinning, mandatory code review for new packages, and host their own private registries mirrored from verified sources. This incident mirrors similar attacks like the 2021 “ua-parser-js” compromise, where targeting a small group of developers yielded outsized impact on downstream enterprises.

Further Reading

• Chrome Android GPU sandbox escape (CVE-2026-6920)
• Chrome sandbox escape via video file (CVE-2026-6921)
• Chrome use-after-free RCE via Prerender (CVE-2026-6299)
• Latest Security News
• CVE Advisories
• Data Breach Reports