TeamPCP Threat Actors Compromise Official SAP npm Packages in Supply-Chain Attack
AI-generated from multiple sources. Verify before acting on this reporting.
BERLIN — Additional reports have confirmed the scope of the TeamPCP supply-chain attack on official SAP npm packages. The malicious code embedded within the compromised packages was configured to exfiltrate sensitive authentication data from the affected systems. This development follows the initial detection on April 29, 2026, which affected developers globally utilizing the packages within their systems and continuous integration and deployment environments. The new information reinforces the severity of the incident and the potential impact on organizations relying on these packages for their software development workflows. Security teams are advised to review their systems for any signs of compromise and take immediate steps to mitigate the risk of credential theft and unauthorized access.
BERLIN — Additional corroborating reports have confirmed the scope of the TeamPCP supply-chain attack on official SAP npm packages. The malicious code embedded within the compromised packages has been verified to exfiltrate sensitive authentication data from multiple developer environments globally. This development follows the initial detection on April 29, 2026, and indicates a broader impact than previously understood. Security teams are now advised to audit their systems for any unauthorized access or data exfiltration resulting from the compromised packages. The attack remains active, with threat actors continuing to exploit the vulnerability to steal developer credentials and authentication tokens. Organizations utilizing the affected packages are urged to take immediate action to mitigate potential risks and secure their continuous integration and deployment environments.
BERLIN — A group of threat actors known as TeamPCP has compromised multiple official SAP npm packages in a supply-chain attack designed to steal developer credentials and authentication tokens.
The attack was detected on April 29, 2026, affecting developers globally who utilize the compromised packages within their systems and continuous integration and deployment environments. The malicious code embedded within the packages was configured to exfiltrate sensitive authentication data from the machines of developers who installed the updates.
SAP, the German enterprise software company, confirmed the compromise of its official packages hosted on the npm registry. The incident represents a significant breach of the software supply chain, where attackers target the distribution channels of legitimate software to infiltrate downstream users. By compromising official packages, the threat actors were able to bypass traditional security measures that often focus on external network perimeters rather than trusted dependencies.
The attack vector involved the insertion of malicious scripts into the codebase of the npm packages. When developers installed or updated these packages, the scripts executed on their local systems or within their CI/CD pipelines. The primary objective was to harvest credentials and tokens that grant access to internal development environments, source code repositories, and cloud infrastructure.
Security researchers identified the activity as part of a broader campaign by TeamPCP, a group known for targeting enterprise software ecosystems. The group has previously demonstrated capabilities in compromising software repositories to gain unauthorized access to corporate networks. This latest operation highlights the vulnerability of package management systems, which are critical infrastructure for modern software development but often lack robust integrity checks.
SAP has since removed the compromised packages from the registry and is working with security partners to identify affected users. The company is advising developers to rotate all credentials and authentication tokens that may have been exposed during the attack window. Organizations are urged to audit their supply chains and implement stricter verification processes for third-party dependencies.
The full extent of the data exfiltration remains unclear. While the mechanism of the attack is understood, the specific number of compromised systems and the volume of stolen credentials have not been disclosed. Security experts warn that the stolen tokens could be used for lateral movement within targeted organizations, potentially leading to further breaches.
Questions remain regarding the duration of the compromise prior to detection and whether other packages within the SAP ecosystem were affected. The incident underscores the growing threat of supply-chain attacks and the challenges faced by organizations in securing their software development lifecycles against sophisticated adversaries.