TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GBHackers

Attackers Hijack SAP npm Packages to Steal Dev Secrets

Mayura Kathir · 2 days ago · Read original ↗

ATT&CK techniques detected

8 predictions
T1195.001Compromise Software Dependencies and Development Tools
100%
“attackers hijack sap npm packages to steal dev secrets a sophisticated supply chain attack hit the sap developer ecosystem on april 29, 2026, compromising four widely - used npm packages with credential - stealing malware. the attackers modified package installation scripts to do…”
T1195.001Compromise Software Dependencies and Development Tools
99%
“cloud credentials, kubernetes service account tokens, and configuration files for ai coding tools, including claude and visual studio code. stolen data is encrypted using aes - 256 - gcm and exfiltrated to public github repositories created under victims ’ own accounts with the d…”
T1195.001Compromise Software Dependencies and Development Tools
98%
“account, allowing direct malicious publishing without github access. the three @ cap - js packages were compromised through a combination of a hijacked sap developer github account and a misconfigured npm oidc trusted publishing setup that granted publishing permissions to any wo…”
T1195.001Compromise Software Dependencies and Development Tools
96%
“published security note 3747787 addressing the incident and released clean superseding versions for all affected packages. organizations should immediately uninstall compromised versions using npm uninstall with the – ignore - scripts flag, then reinstall the last clean versions.…”
T1195.002Compromise Software Supply Chain
73%
“cloud credentials, kubernetes service account tokens, and configuration files for ai coding tools, including claude and visual studio code. stolen data is encrypted using aes - 256 - gcm and exfiltrated to public github repositories created under victims ’ own accounts with the d…”
T1587Develop Capabilities
64%
“attackers hijack sap npm packages to steal dev secrets a sophisticated supply chain attack hit the sap developer ecosystem on april 29, 2026, compromising four widely - used npm packages with credential - stealing malware. the attackers modified package installation scripts to do…”
T1587Develop Capabilities
56%
“account, allowing direct malicious publishing without github access. the three @ cap - js packages were compromised through a combination of a hijacked sap developer github account and a misconfigured npm oidc trusted publishing setup that granted publishing permissions to any wo…”
T1587Develop Capabilities
42%
“cloud credentials, kubernetes service account tokens, and configuration files for ai coding tools, including claude and visual studio code. stolen data is encrypted using aes - 256 - gcm and exfiltrated to public github repositories created under victims ’ own accounts with the d…”

Summary

A sophisticated supply chain attack hit the SAP developer ecosystem on April 29, 2026, compromising four widely-used npm packages with credential-stealing malware. The attackers modified package installation scripts to download the Bun JavaScript runtime a legitimate alternative to Node.js during the npm install process. This technique bypasses Node.js-based security monitoring by executing an 11.6 MB […]

The post Attackers Hijack SAP npm Packages to Steal Dev Secrets appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.