Supply Chain Attack Compromises Official SAP npm Packages, Steals Developer and CI/CD Credentials
What Happened — Four official SAP npm packages used in the Cloud Application Programming Model were hijacked with a malicious preinstall script. The script pulls the Bun runtime, executes an obfuscated payload, and harvests a wide range of credentials from developer workstations and CI/CD runners.
Why It Matters for TPRM —
- Credential theft from supply‑chain components can give attackers unfettered access to downstream customers’ environments.
- Compromise of CI/CD pipelines amplifies impact, allowing lateral movement into cloud accounts, Kubernetes clusters, and other critical services.
- The attack demonstrates that even “official” packages from trusted vendors can become attack vectors, raising the bar for third‑party risk assessments.
Who Is Affected — Enterprises that develop SAP Cloud Application Programming Model (CAP) solutions, SaaS providers integrating SAP SDKs, and any organization that consumes the compromised npm packages in their build pipelines.
Recommended Actions —
- Immediately audit all projects for the four affected packages and remove any versions ≥ 2.2.2 (or ≥ 1.2.48 for
mbt). - Rotate all npm, GitHub, SSH, and cloud provider tokens that may have been exposed.
- Harden CI/CD runners: disable automatic script execution on package install, enforce signed packages, and monitor for unexpected memory‑scanning activity.
Technical Notes — The malicious preinstall script downloads Bun from GitHub, runs execution.js, and executes a Python memory‑scanner to pull secrets directly from the CI runner’s memory. Stolen data are encrypted and exfiltrated to attacker‑controlled GitHub repositories via dead‑drop commit messages. The technique mirrors previous TeamPCP supply‑chain attacks. Source: BleepingComputer