Piece of news of the day

ADVANCED SECURITY EUROPA

EOOD

Unveiling the TeamPCP Attack: SAP npm Packages Compromised in Supply-Chain Breach

30 April 2026

Multiple SAP npm packages were compromised in a supply-chain attack by TeamPCP, impacting packages like @cap-js/sqlite and @cap-js/postgres.
The compromised packages contained a malicious 'preinstall' script that executed an information-stealer to extract credentials from developer systems.
This malware targeted npm and GitHub tokens, SSH keys, cloud credentials, CI/CD secrets, and Kubernetes configuration.
The stolen data was encrypted and uploaded to public GitHub repositories.
The attack was linked to TeamPCP, known for similar attacks against other companies.
The malware also self-propagated by modifying other packages using stolen credentials.
The exact method of compromise is unknown, but it may have been via a misconfigured CircleCI job.
SAP has not provided a response regarding the incident.