Multiple official SAP npm packages were compromised in an apparent TeamPCP supply-chain attack that inserted a malicious preinstall script to steal developer credentials and CI secrets. The attack used a setup.mjs loader that downloads the Bun runtime to run an obfuscated information-stealer which exfiltrates tokens, SSH keys, cloud and Kubernetes credentials, and memory-scraped CI secrets, then uploads data to public GitHub repos. #TeamPCP #SAP
Keypoints
- Four SAP npm packages (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt) were backdoored and deprecated on NPM.
- A malicious preinstall script executed setup.mjs, which downloaded the Bun runtime to run an obfuscated execution.js payload.
- The payload steals npm and GitHub tokens, SSH keys, AWS/Azure/GCP credentials, Kubernetes secrets, and CI/CD environment secrets.
- Collected data is encrypted and uploaded to public GitHub repositories labeled βA Mini Shai-Hulud has Appearedβ, and the malware uses GitHub commit messages as a token dead-drop.
- Researchers link the activity to TeamPCP with medium confidence, note possible NPM token exposure via a misconfigured CircleCI job, and observe self-propagation to other packages.