Multiple official SAP npm packages were compromised in what is believed to be a TeamPCP supply-chain attack to steal credentials and authentication tokens from developers' systems. Security researchers report that the compromise impacted four packages, with the versions now deprecated on NPM: These packages support SAP's Cloud Application Programming Model (CAP) and Cloud MTA, which are commonly used in enterprise development. According to new reports by Aikido and Socket, the compromised packages were modified to include a malicious 'preinstall' script that executes automatically when the npm package is installed. This script launches a loader named setup.mjs that downloads the Bun JavaScript runtime from GitHub and uses it to execute a heavily obfuscated execution.js payload. The payload is an information-stealer used to steal a wide variety of credentials from both developer machines and CI/CD environments, including: The malware also attempts to extract secrets directly from the CI runner's memory, similar to how TeamPCP extracted credentials in previous supply-chain attacks. "On CI runners, the payload executes an embedded Python script that reads /proc/

/maps and /proc/

/mem for the Runner.Worker process to extract every secret matching "key" :{ "value": "...", "isSecret":true} directly from runner memory, bypassing all log masking applied by the CI platform," explains Socket.