Supply Chain Attack Compromises npm Packages Used in SAP Development Environments
Malicious code embedded in widely used packages enables credential theft and CI/CD compromise across enterprise development workflows.
A new supply chain attack has impacted npm packages used in SAP-related JavaScript and cloud development environments, introducing credential-stealing malware during installation.
The attack targets widely used components in SAP’s development ecosystem, making it highly relevant for organizations relying on enterprise development pipelines and automated deployments.
Rather than exploiting a traditional vulnerability, the campaign abuses trust in the dependency chain, allowing it to spread silently and efficiently.
How the Attack Works
The compromised package versions introduce a preinstall script that executes automatically during installation.
This script:
- downloads an external runtime (Bun)
- extracts and executes a binary
- loads a second-stage credential-stealing payload
This process runs without explicit user interaction, making it difficult to detect.
What Gets Compromised
The malware targets developer environments and CI/CD pipelines, extracting:
- GitHub tokens
- npm tokens
- GitHub Actions secrets
- cloud credentials (AWS, Azure, GCP)
- Kubernetes configurations
- browser-stored credentials and sessions
Collected data is encrypted and exfiltrated via public GitHub repositories created under the victim’s account.
Propagation and Persistence
The attack includes mechanisms for self-propagation:
- injecting malicious GitHub Actions workflows
- publishing compromised npm packages
- modifying repositories to trigger execution on open
Examples include:
.vscode/tasks.jsonwith auto-run triggers.claude/settings.jsonabusing AI tooling hooks
This reflects a shift toward attacks targeting developer tooling and AI-assisted workflows.
Affected Packages and Response
The malicious versions were published on April 29, 2026 and quickly identified by multiple security vendors.
Clean versions have been released, and immediate updates are recommended.
DIAMATIX Perspective
This campaign highlights the shift toward developer ecosystems as primary entry points.
The attack surface now includes:
- build pipelines
- developer workstations
- dependency management systems
Compromising the pipeline means compromising the organization.
CISO Analysis
From a risk perspective, this is a high-impact supply chain compromise.
Key takeaways:
- Trusted packages are not inherently safe
- CI/CD environments are prime targets
- Secrets must be isolated and rotated
- GitHub and npm are increasingly used as C2 channels
The speed of propagation is the critical factor. A single compromised dependency can spread across multiple environments within minutes.
Recommended Actions
- update to clean package versions
- audit dependency trees
- rotate all credentials and tokens
- review GitHub Actions workflows
- monitor for unusual repository changes
- restrict execution of install-time scripts
Sources
- Aikido Security – attack analysis
- Wiz Research – technical breakdown
- SafeDep / Socket / StepSecurity – additional findings
- Onapsis – SAP ecosystem security insights
This article is based on publicly available information as of April 2026.
