# SAP npm Packages Compromised in Supply-Chain Attack Targeting Developer Credentials


A significant supply-chain attack has compromised multiple official SAP npm packages, allowing threat actors to harvest credentials and authentication tokens directly from developers' systems. The attack, attributed to the TeamPCP threat group, represents a sophisticated evolution in supply-chain targeting that bypasses traditional security boundaries to access sensitive development credentials at scale.


## The Threat


Security researchers discovered that several legitimate SAP npm packages—distributed through the official npm registry—had been modified to include malicious code designed to exfiltrate authentication credentials and API tokens from developers' local environments. The compromised packages were being served to any developer who installed or updated them, creating a wide exposure window before detection.


The attack specifically targets:

  • SSH keys and authentication credentials stored in ~/.ssh directories
  • npm tokens and registry credentials
  • API keys for cloud services and development platforms
  • Git credentials and authentication tokens
  • Environment variables containing sensitive configuration data

    • What distinguishes this attack is its access to the entire credential landscape of compromised developer machines—credentials that developers often assume are safely contained within their local systems.


    ## Background and Context


    ### About TeamPCP


    The TeamPCP threat group has been linked to several high-profile supply-chain attacks targeting software development infrastructure. The group specializes in obtaining legitimate code repository access and npm package publishing privileges, either through credential theft, account compromise, or social engineering. Their approach favors patience over speed, often maintaining access for extended periods before deploying malicious payloads.


    ### The Affected SAP Packages


    According to initial reports, the compromised packages include:


    | Package Name | Popularity | Risk Level |

    |---|---|---|

    | @sap/common-logging | High (used in enterprise environments) | Critical |

    | @sap/xsenv | High (SAP Cloud Platform integration) | Critical |

    | @sap/logger | Moderate | High |

    | Additional support packages | Varied | High |


    These packages are commonly used in SAP Cloud Platform applications, SAP Fiori development, and enterprise Node.js applications built on the SAP ecosystem.


    ### Timeline of Discovery


  • Initial Compromise: The exact timing of the initial package modification remains unclear, though evidence suggests the malicious code was present for at least 2-3 weeks before discovery
  • Detection: Security researchers identified suspicious network traffic and credential exfiltration patterns
  • Notification: npm and SAP security teams were notified and began remediation efforts
  • Public Disclosure: Official security advisories were released once the extent of the compromise was confirmed

    • ## Technical Details


    ### Attack Mechanism


    The malicious code was inserted into legitimate package installation scripts, specifically leveraging npm's postinstall hooks—scripts that execute automatically after a package is installed or updated. This is a known npm supply-chain vector that several past attacks have exploited.


    The injected code performed the following operations:


    1. Credential Discovery: Scanned the user's home directory for common credential storage locations

    2. Exfiltration: Compressed credentials into archives and sent them to attacker-controlled infrastructure

    3. Obfuscation: Used encoding techniques to avoid static analysis and automated detection

    4. Cleanup: Removed traces of execution from shell history and logs


    ### Delivery Method


    The attackers maintained access to SAP's npm publishing credentials, allowing them to:

  • Modify existing package versions
  • Publish new malicious versions without detection
  • Update package.json manifests to disguise the attack

    • npm's version management system made it difficult for developers to immediately identify which versions were compromised, as the malicious code was distributed through "legitimate" version updates.


    ### Scope of Exposure


    Initial analysis suggests that developers who installed affected packages between specific dates were at risk of credential theft. The exact number of affected installations is still being determined, but npm package download metrics indicate hundreds of thousands of potential exposures across different versions.


    ## Implications for Organizations


    ### Immediate Risks


    Organizations using SAP npm packages now face potential:

  • Unauthorized Access: Attackers possessing stolen credentials may have gained access to internal systems, cloud platforms, and code repositories
  • Source Code Access: Compromised Git credentials could allow attackers to access private repositories and inject additional malware
  • Infrastructure Compromise: Cloud API tokens could enable unauthorized access to production environments
  • Lateral Movement: Development credentials often provide pathways to broader infrastructure access

    • ### Enterprise Impact


    For SAP customers specifically:

  • SAP Cloud Platform deployments may be at risk if developers' credentials were used for authentication
  • Internal SAP Fiori applications built by affected developers could have been targeted for further compromise
  • Supply-chain trust in the SAP ecosystem has been undermined, raising questions about security practices

    • ### Broader Supply-Chain Implications


    This incident demonstrates that:

  • No Source is Fully Trusted: Even official, vendor-controlled packages can be compromised if attackers gain sufficient access
  • Developer Machines Are High-Value Targets: The diversity of credentials stored on developer workstations makes them attractive targets
  • npm Ecosystem Remains Vulnerable: Despite past incidents, the registry continues to be a preferred attack vector

    • ## Recommendations


    ### Immediate Actions (24-48 hours)


    1. Audit npm Packages: Run npm audit and check your package-lock.json for the specific compromised versions

    2. Rotate Credentials: Assume all local credentials may be compromised; rotate SSH keys, npm tokens, API keys, and cloud credentials

    3. Check Logs: Review authentication logs for unusual activity across all services that may have been accessed

    4. Notify Cloud Providers: Alert cloud service providers of potential credential theft and request account security reviews

    5. Update Packages: Update to patched versions of affected SAP packages once remediation is confirmed complete


    ### Short-Term Measures (1-2 weeks)


  • Implement Credential Monitoring: Deploy tools to detect unusual API key usage or authentication patterns
  • Review Access Logs: Examine logs from Git repositories, npm registry, and cloud platforms for unauthorized access
  • Assess Blast Radius: Determine what systems the compromised credentials could access and prioritize remediation
  • Communicate with Teams: Ensure all developers using these packages understand the incident and remediation steps
  • Verify Source Code: Review applications using affected packages for injected malicious code

    • ### Long-Term Strategies


  • Adopt Zero-Trust Credential Management: Limit credential scope and implement short-lived tokens where possible
  • Use Credential Scanning: Deploy tools like git-secrets and pre-commit hooks to prevent credential commits
  • Implement Package Verification: Use npm signatures and verify package integrity through multiple channels
  • Develop Incident Response Plans: Create procedures for responding to supply-chain incidents that affect your ecosystem
  • Reduce Credential Sprawl: Centralize credential management and reduce the number of credentials stored on developer machines

    • ## Conclusion


    The compromise of official SAP npm packages represents a critical reminder that supply-chain security cannot rely solely on source verification. Attackers with sufficient sophistication and persistence can infiltrate trusted distribution channels, requiring organizations to implement defense-in-depth strategies.


    The incident underscores the need for:

  • Aggressive credential rotation and monitoring
  • Implementation of detection mechanisms for unusual authentication activity
  • Architectural changes that limit the impact of compromised credentials
  • Industry-wide improvements to npm package security

    • As development becomes increasingly distributed and dependency-driven, the attack surface for supply-chain threats continues to expand. Organizations must treat developer credentials as critical assets requiring the same level of protection as production infrastructure.