:

SAP NPM PACKAGES COMPROMISED IN CREDENTIAL THEFT ATTACK

INDUSTRY DESK2 MIN READ
THU, APR 30, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

Multiple official SAP npm packages were compromised in a supply-chain attack attributed to TeamPCP, targeting developer credentials and authentication tokens. The incident exposes risks in the JavaScript ecosystem's dependency chain.

SAP has confirmed that several of its official npm packages were compromised, likely as part of a coordinated supply-chain attack. The threat actor group TeamPCP is believed responsible for injecting malicious code designed to harvest credentials and authentication tokens from affected developers' systems. ■ What Happened The compromised packages were distributed through the official npm repository, giving the attack broad potential reach across SAP's developer community. By positioning malicious code within trusted, official packages, attackers exploited the implicit trust developers place in vendor-supplied dependencies. The injected code targeted sensitive authentication materials, including API keys, session tokens, and credential files commonly stored on developer machines. Such access could enable further unauthorized access to internal systems and development environments. ■ Scope and Response SAP has not publicly disclosed the exact number of compromised packages or the total number of affected installations. The company has begun notifying impacted users and has removed malicious versions from the npm registry. Developers who installed affected packages are advised to: - Rotate all credentials and authentication tokens - Review access logs for suspicious activity - Update to patched package versions - Audit systems for signs of unauthorized access ■ Broader Context This incident underscores persistent vulnerabilities in software supply chains. Even official packages from major vendors can be compromised, as demonstrated by previous attacks on popular npm packages. The JavaScript ecosystem, with its massive dependency graphs and frequent updates, remains a significant attack surface. Organizations relying on npm dependencies should implement stricter controls, including dependency scanning, version pinning, and regular security audits. The incident reinforces that vendor reputation alone provides insufficient protection against determined attackers.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

4H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

4H AGOSecurity Desk

Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.

7H AGOAI Desk

A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.

10H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.