{
  "name": "Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages",
  "slug": "supply-chain-attack-hits-sap-cap-and-cloud-mta-npm-packages",
  "description": "Multiple npm packages in the SAP JavaScript and cloud application development ecosystem were compromised in a suspected supply chain attack. Affected packages include mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. The compromised versions introduced malicious preinstall scripts that download and execute Bun binaries from GitHub, then run heavily obfuscated payloads designed to harvest credentials from developer machines and CI/CD environments. The payloads steal SSH keys, cloud credentials, npm tokens, GitHub access, cryptocurrency wallets, and CI/CD secrets directly from runner memory. Stolen data is encrypted and exfiltrated via GitHub repositories created under victim accounts. The malware also attempts self-propagation by injecting itself into additional packages using stolen npm tokens and establishes persistence through VSCode and Claude IDE configurations.",
  "published": "2026-04-29T22:12:45+00:00",
  "created_at": "2026-04-29T22:12:45+00:00",
  "modified_at": "2026-04-30T05:47:07+00:00",
  "created_at_opencti": "2026-04-29T22:12:45+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-30",
    "bun-binary",
    "ci-cd-compromise",
    "credential-theft",
    "github abuse",
    "npm packages",
    "obfuscation",
    "sap-cap",
    "supply chain attack"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34"
      },
      {
        "id": "",
        "name": "eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb"
      },
      {
        "id": "",
        "name": "80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac"
      },
      {
        "id": "",
        "name": "6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95"
      }
    ],
    "intrusion_sets": [
      {
        "id": "5255c6ce-4692-4aea-b599-0e78a6c4c4aa",
        "name": "TeamPCP",
        "slug": "teampcp"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Technology"
      }
    ]
  },
  "external_refs": [
    "https://socket.dev/blog/sap-cap-npm-packages-supply-chain-attack",
    "https://otx.alienvault.com/pulse/69f29e7de2c7e622090df108"
  ]
}