SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack
SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack — Ravie LakshmananApr 29, 2026Supply Chain Attack / Malware SAP-Related npm
What’s new: A supply chain attack has compromised SAP-related npm packages, introducing credential-stealing malware. The affected packages include *mbt@1.2.48*, *@cap-js/db-service@2.10.1*, *@cap-js/postgres@2.2.2*, and *@cap-js/sqlite@2.2.2*. The malicious versions were published on April 29, 2026, and contain a preinstall script that executes a credential stealer, targeting local developer credentials, GitHub and npm tokens, and cloud secrets. The stolen data is encrypted and exfiltrated to public GitHub repositories.
Who’s affected
Developers and organizations using the compromised SAP-related npm packages are at risk, particularly those utilizing the affected versions for JavaScript and cloud application development.
What to do
- Upgrade to the latest safe versions of the affected packages: *sqlite: v2.4.0*, *postgres: v2.3.0*, *hana: v2.8.0*, *db-service: v2.10.1*, and *mbt: v1.2.49*.
- Review and rotate any potentially compromised credentials, including GitHub and npm tokens, AWS, Azure, GCP, and Kubernetes secrets.
- Implement monitoring for unusual activity in GitHub repositories and CI/CD environments.
