CYBERSECURITY researchers warn of a credential-stealing supply‑chain attack targeting SAP‑related npm packages, including mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2 and @cap-js/sqlite@2.2.2, after malicious releases published on 29 April 2026 between 09:55 UTC and 12:14 UTC.
The compromised packages added an installation‑time preinstall script that downloads a Bun ZIP from GitHub Releases, extracts it, and immediately executes the Bun binary, with the loader executing a credential‑stealer and propagation framework. The infection also uses HTTP redirects without validation and employs PowerShell with -ExecutionPolicy Bypass on Windows, raising the risk for developer and CI/CD environments.
Wiz noted that the malicious packages resemble features from previous TeamPCP operations, implying that the same threat actor is likely behind the campaign, a claim supported by multiple researchers. Aikido Security, SafeDep, Socket, StepSecurity and Wiz provided the coordinated analysis, according to those organisations.
Maintainers have released safe versions to supersede the compromised releases, including sqlite v2.4.0 and v2.3.0, postgres v2.3.0 and v2.2.2, hana v2.8.0 and v2.7.2, db-service v2.10.1, and mbt v1.2.49.