Supply Chain Attack Compromises SAP‑Related npm Packages, Harvesting Developer Credentials
What Happened — A coordinated supply‑chain campaign dubbed “mini Shai‑Hulud” injected credential‑stealing malware into several npm packages that are part of SAP’s JavaScript SDKs and cloud‑application tooling. The malicious versions were published to the public npm registry and downloaded by developers worldwide, allowing attackers to capture stored credentials and tokens.
Why It Matters for TPRM —
- Third‑party code libraries can become a covert conduit for credential theft, exposing downstream customers.
- SAP‑related components are widely used in enterprise ERP, finance, and supply‑chain applications, amplifying risk across multiple sectors.
- The attack demonstrates the need for continuous monitoring of open‑source dependencies in vendor‑managed environments.
Who Is Affected — Enterprises that integrate SAP JavaScript SDKs, cloud‑native SAP services, or any applications that depend on the compromised npm packages (across finance, manufacturing, professional services, and SaaS providers).
Recommended Actions —
- Inventory all projects that consume SAP‑related npm packages and verify their versions.
- Replace compromised packages with clean, verified releases or alternative libraries.
- Enforce strict SCA (Software Composition Analysis) and integrity‑checking pipelines for all third‑party dependencies.
- Rotate any credentials or tokens that may have been exposed and monitor for anomalous activity.
Technical Notes — The attack leveraged a third‑party dependency vector, publishing malicious code under legitimate package names. No public CVE was issued, but the malware performed credential harvesting (e.g., npm tokens, API keys) and exfiltrated them to attacker‑controlled endpoints. Source: The Hacker News