TeamPCP Compromises SAP npm Packages With 'Mini Shai-Hulud' Attack

A threat actor identified as TeamPCP has extended its supply‑chain assault to the SAP cloud application development ecosystem, compromising several npm packages that are integral to SAP’s Cloud Platform tooling. The campaign, internally dubbed “Mini Shai‑Hulud,” introduces a malicious payload designed to exfiltrate credentials and to provide a foothold for further malware deployment. The compromised packages were discovered after security researchers observed abnormal network traffic and unexpected code execution within development environments. Analysis revealed that the malicious code was injected into a widely used SAP‑specific npm library, affecting versions that were downloaded thousands of times before the compromise was identified. The payload leverages a stealthy backdoor that masquerades as a legitimate build step, allowing attackers to run arbitrary commands with the same privileges as the developer. Developers and organizations relying on the affected SAP npm modules are urged to audit their dependency trees and remove any suspicious versions immediately. SAP has issued an advisory recommending the use of integrity checking mechanisms such as npm’s package‑lock.json and the activation of two‑factor authentication for publishing rights. Security teams should also monitor for Indicators of Compromise (IoCs) provided in the advisory and implement endpoint detection solutions that can flag anomalous script execution. The extension of TeamPCP’s tactics to npm packages underscores the growing risk of supply‑chain attacks on open‑source ecosystems. Organizations should adopt a defense‑in‑depth strategy, regularly reviewing third‑party code, employing static analysis tools, and maintaining up‑to‑date threat‑intel feeds to stay ahead of such threats. Continued coordination between the security community, package registries, and affected vendors will be essential to mitigate the impact of this and future supply‑chain campaigns.