SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

SAP-related npm packages were compromised in a supply chain attack distributing credential-stealing malware.

• •Four packages (mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, @cap-js/sqlite@2.2.2) were affected via malicious preinstall scripts
• •The malware downloads and executes a platform-specific Bun binary that harvests developer credentials and cloud secrets
• •Steals GitHub and npm tokens, GitHub Actions secrets, and AWS/Azure/GCP/Kubernetes credentials
• •Self-propagates through GitHub Actions workflows to inject malware and publish poisoned packages
• •Uses Claude Code and VS Code configuration files as persistence vectors

This summary was automatically generated by AI based on the original article and may not be fully accurate.