TeamPCP Attackers Infiltrate SAP's Official npm Repository
On April 30, 2026, security researchers discovered that multiple official SAP npm packages had been compromised through a sophisticated supply-chain attack attributed to the TeamPCP threat group. The malicious code was designed to exfiltrate sensitive developer credentials, authentication tokens, and potentially source code from infected development environments.
The attack represents a significant escalation in supply-chain targeting, as SAP maintains one of the most widely-used enterprise software ecosystems globally. The compromised packages were distributed through the official npm registry, making them appear legitimate to developers who regularly update their dependencies. Initial analysis suggests the attackers gained unauthorized access to SAP's package publishing infrastructure, allowing them to push malicious updates to existing packages rather than creating typosquatted alternatives.
TeamPCP, previously known for targeting cryptocurrency exchanges and financial institutions, appears to have shifted focus toward enterprise software supply chains. The group's tactics involve embedding obfuscated JavaScript payloads that activate during the package installation process, establishing persistence mechanisms that survive system reboots and development environment resets. Security researchers from Cyber Security News first identified the malicious activity through automated package scanning systems that detected suspicious network communications.
The malicious code employed several sophisticated evasion techniques, including environment detection to avoid execution in sandboxed analysis environments, encrypted command-and-control communications, and selective payload deployment based on the target system's characteristics. The attackers specifically targeted development workstations running popular IDEs and code editors, suggesting they were seeking access to proprietary source code repositories and development secrets.
Enterprise Developers and SAP Ecosystem Users at Risk
The compromise affects JavaScript developers who use SAP's official npm packages in their enterprise applications, particularly those working with SAP's Cloud Application Programming Model, UI5 framework components, and various SAP integration libraries. Organizations running continuous integration pipelines that automatically update npm dependencies are at heightened risk, as the malicious packages would have been automatically pulled into build environments.
Enterprise development teams using SAP's Business Technology Platform, SAP Analytics Cloud, and SAP SuccessFactors integration packages are specifically vulnerable. The attack targeted packages with high download counts, ensuring maximum distribution across the developer community. Companies with automated dependency management systems, including those using npm audit tools and vulnerability scanners, may have inadvertently installed the compromised packages during routine security updates.
The scope extends beyond individual developer workstations to include shared development environments, Docker containers using affected base images, and cloud-based development platforms that automatically resolve npm dependencies. Organizations in the financial services, manufacturing, and retail sectors that heavily rely on SAP integrations face elevated exposure, as these industries commonly use the targeted packages for custom application development and system integrations.
Immediate Response and Mitigation Steps for SAP Package Users
SAP has initiated an emergency response protocol, working directly with npm to remove the compromised packages from the registry and issue security advisories for affected versions. Development teams should immediately audit their package.json files and lock files to identify any SAP-related dependencies that may have been updated in the past 72 hours. Organizations should run comprehensive scans of their development environments using tools like npm audit and third-party supply-chain security solutions.
The recommended immediate response includes isolating any development workstations that installed the compromised packages, rotating all authentication tokens and API keys that may have been exposed, and reviewing recent code commits for unauthorized changes. Teams should examine their CI/CD pipeline logs for unusual network activity or unexpected package installations during the attack window. The Hacker News reports that SAP is coordinating with major cloud providers to identify and notify affected customers.
For ongoing protection, organizations should implement package integrity verification using npm's built-in signature checking capabilities, establish allow-lists for approved package sources, and configure network monitoring to detect unusual outbound connections from development environments. SAP recommends temporarily pinning all SAP-related package versions to known-good releases until the security investigation concludes and verified clean packages are republished to the npm registry.
