TEAMPCP’S latest supply chain campaign targets SAP’s cloud development ecosystem by compromising four SAP npm packages within the Cloud Application Programming Model (CAP) and Cloud MTA Build Tool (MBT). The four packages—@cap-js/sqlite v2.2.2, @cap-js/postgres v2.2.2, @cap-js/db-service v2.10.1, and mbt v1.2.48—were injected with malicious preinstall scripts that execute when the dependency is installed.
The attacks were spotted by Wiz, Socket, and Aikido Security researchers, who described a multistage payload designed to harvest secrets across GitHub, npm, and major cloud providers, then exfiltrate data via attacker-controlled GitHub repositories and propagate through compromised tokens. While the campaign echoes past Shai-Hulud-era tradecraft, Wiz notes the operators encrypted stolen data this time and researchers caution against definitively linking it to a separate actor. Dark Reading reported that the SAP-focused approach elevates risk for enterprises due to the potential reach of these high-value packages.