SAP npm Packages Compromised in Credential-Stealing Supply Chain Attack

Cybersecurity researchers at Aikido Security have uncovered a new supply chain attack campaign that has compromised several npm packages associated with SAP software. The malicious code, inserted into the packages, is designed to harvest credentials from developers and systems that integrate these libraries. By targeting a widely used enterprise ecosystem, the campaign aims to gain foothold in corporate environments that rely on SAP for critical business processes.

The infected packages exploit the trust developers place in open‑source components, executing a stealthy credential‑stealing payload upon installation. The malware monitors authentication tokens, API keys, and other sensitive data, exfiltrating them to a command‑and‑control server controlled by the threat actors. Researchers note that the attack leverages obfuscated scripts and environment detection to evade static analysis, making detection challenging for traditional security tools.

Organizations using the affected SAP‑related npm packages are urged to audit their dependency trees, remove any compromised versions, and rotate credentials that may have been exposed. Implementing strict package integrity checks, such as SHA‑256 verification and employing a private registry with provenance attestation, can help mitigate the risk of similar supply chain intrusions. Aikido Security continues to monitor the campaign and advises security teams to stay vigilant for anomalous network traffic and unauthorized access attempts linked to these malicious packages.