Skip to main content
Emerging ThreatsSupply Chain Attacks

SAP npm Packages Compromised in Supply-Chain Attack

Software development workstation with code editor and blurred tools, hinting at supply chain logistics in background.

"On CI runners, the payload executes an embedded Python script that reads /proc/<pid>/maps and /proc/<pid>/mem for the Runner.Worker process to extract every secret matching "key" :{{ "value": "...", "isSecret":true}} directly from runner memory, bypassing all log masking applied by the CI platform," explains Socket.

Compromised SAP npm packages and the scope of impact

Security researchers report that four official SAP npm packages were compromised and their affected versions have been deprecated on NPM. The packages and versions named in the reporting are:

  • @cap-js/sqlite – v2.2.2
  • @cap-js/postgres – v2.2.2
  • @cap-js/db-service – v2.10.1
  • mbt – v1.2.48

Those packages are used to support SAP's Cloud Application Programming Model (CAP) and Cloud MTA, which researchers say are commonly used in enterprise development. BleepingComputer contacted SAP for comment about how the packages were compromised but did not receive a reply at the time of publication.

How the malicious installation chain operated

Researchers from Aikido and Socket say the attackers modified the packages to include a malicious "preinstall" script that runs automatically during npm installation. That script launches a loader file named setup.mjs, which in turn downloads the Bun JavaScript runtime from GitHub and uses Bun to execute a heavily obfuscated execution.js payload.

The chain — preinstall → setup.mjs → Bun → execution.js — allowed the attackers to execute a multi-stage payload on developer workstations and continuous-integration runners as soon as a developer installed the compromised package.

Data stolen, exfiltration methods, and dead-drop mechanics

The deployed payload is described as an information-stealer that targets a broad set of credentials and secrets. According to the reporting, the malware aims to harvest:

  • npm and GitHub authentication tokens
  • SSH keys and developer credentials
  • Cloud credentials for AWS, Azure, and Google Cloud
  • Kubernetes configuration and secrets
  • CI/CD pipeline secrets and environment variables

On CI runners specifically, the payload runs an embedded Python script that reads process memory maps and memory dumps — the /proc/<pid>/maps and /proc/<pid>/mem files — targeting the Runner.Worker process to extract secrets directly from memory. Socket notes the memory-scanning technique is structurally identical to the technique documented in prior supply-chain incidents involving Bitwarden and Checkmarx.

Once collected, data is encrypted and uploaded to public GitHub repositories under the victim's account. Those repositories include the description "A Mini Shai-Hulud has Appeared," a string researchers say echoes the "Shai-Hulud: The Third Coming" marker seen in a prior supply-chain attack. The malware also uses GitHub commit searches as a dead-drop mechanism: commit messages matching the pattern "OhNoWhatsGoingOnWithGitHub:<base64>" are decoded into GitHub tokens and checked for repository access, according to Aikido.

Self-propagation, credential replay, and the TeamPCP linkage

Researchers report the payload contains code to self-propagate. Using stolen npm or GitHub credentials, it attempts to modify other packages and repositories it gains access to and injects the same malicious code to spread further. The attack has been linked with medium confidence to threat actors tracked as TeamPCP; researchers say TeamPCP used similar code and tactics in previous supply-chain attacks against Trivy, Checkmarx, and Bitwarden.

What this means for SAP developers, CI/CD operators, and enterprise security teams

SAP developers who install CAP or Cloud MTA-related packages — or build container images and CI pipelines that do so — should assume compromise of credentials and CI environment variables is possible for the affected versions. CI/CD operators need to be alert to the specific memory-scraping behavior reported here, since the payload targets runner process memory and attempts to bypass log masking by extracting secrets directly from the Runner.Worker process.

Enterprise security teams should treat public GitHub repositories created under developer accounts as potential exfiltration points and look for the described repository description string and unusual commit-message patterns that might indicate a token dead-drop. The reporting also includes a note from Security Engineer Adnan Khan that an NPM token may have been exposed via a misconfigured CircleCI job, highlighting configuration issues as one plausible vector the investigators flagged.

The immediate factual threads are clear: four SAP packages were modified to run a multi-stage loader that used Bun to execute an obfuscated credential-stealing payload; the malware exfiltrated secrets to public GitHub repositories and used commit-message searches as a dead-drop; and researchers see strong technique overlap with previous TeamPCP supply-chain incidents. How the npm publishing process itself was breached remains unspecified in the reporting, and SAP had not responded to questions at the time of publication.

Source: BleepingComputer — Official SAP npm packages compromised to steal credentials