💻 AppSec

Official SAP npm Packages Compromised to Steal Enterprise Developer Credentials

Threat actors compromised official SAP npm packages to insert credential-harvesting code targeting enterprise developers working on SAP integration projects. The malicious packages exfiltrate environment variables, SSH keys, and cloud credentials from developer workstations. Enterprise teams using SAP npm packages in their CI/CD pipelines should audit package integrity and rotate potentially exposed credentials.

4 min read
#sap#npm#supply-chain#credential-theft#developer-security#package-manager

Official npm packages maintained by SAP — the enterprise software giant whose platforms underpin ERP, finance, procurement, and HR operations at thousands of large organisations — were compromised to include credential-harvesting code. The malicious versions were published through SAP’s official npm account and distributed to developers working on SAP Business Technology Platform (BTP) integrations, SAP Cloud Application Programming Model (CAP) projects, and SAP Fiori application development. The attack targets the developer workstation and CI/CD pipeline layer, not SAP’s production systems directly.

What Was Compromised

Researchers identified malicious code inserted into at least three packages in SAP’s official @sap npm namespace. The affected packages include tooling components used in the SAP Cloud SDK and SAP Continuous Integration toolkit that are installed as development dependencies in SAP integration projects.

The malicious code added to each package executes at install time via a postinstall script — the same legitimate mechanism npm uses to run build steps after package installation. The payload:

  • Reads all environment variables from the current process context
  • Scans the developer’s home directory for SSH key files (~/.ssh/)
  • Reads cloud credential files for AWS (~/.aws/credentials), Azure (~/.azure/), and GCP (~/.config/gcloud/)
  • Reads any .env files in the current working directory and up to two parent directories
  • Exfiltrates collected data via an HTTPS POST to an attacker-controlled endpoint

The exfiltration endpoint was hosted on a domain registered seven days before the attack was detected. The domain has since been sinkholed.

Attack Vector and Timeline

The compromise was achieved by obtaining credentials to SAP’s npm publishing account — likely via credential stuffing against the npm account or through a compromised developer machine at SAP. The malicious versions were live for approximately 52 hours before SAP and npm removed them and republished clean versions. During the window, the packages were downloaded an estimated 18,000 times across automated CI/CD pipelines and developer environments.

The targeted packages had high download rates specifically because they are pulled as transitive dependencies by popular SAP development toolchains — meaning many developers were exposed without directly installing the affected packages.

Enterprise Impact Assessment

SAP development environments are not typical consumer developer machines. They commonly hold:

  • SAP BTP service account credentials with access to production cloud landscapes
  • Connection strings and API keys for SAP S/4HANA, SuccessFactors, Ariba, and Concur
  • Cloud platform credentials for Azure/AWS/GCP environments where SAP extensions are hosted
  • Database connection parameters for SAP HANA Cloud and on-premise SAP databases
  • Certificates used for SAP system-to-system RFC and SOAP connections

Credentials exfiltrated from a developer machine in this context can provide pathways to production SAP systems — the same systems that process payroll, financial transactions, and supply chain operations.

  • Identify all machines and CI/CD pipelines that installed the affected packages — check npm audit logs and CI/CD pipeline execution records from the window April 27–29, 2026. All installs of the affected @sap packages during this window should be treated as exposed.
  • Rotate all credentials potentially accessible from affected environments — specifically: SAP BTP service keys, S/4HANA RFC user credentials, cloud platform credentials (AWS IAM, Azure service principals, GCP service accounts), SSH keys, and any API keys stored in .env files or environment variables on affected machines.
  • Re-image or thoroughly audit affected developer workstations — given the nature of the payload, post-install script execution cannot be fully verified as limited to the documented behaviour; treat affected machines as potentially compromised.
  • Implement npm package integrity verification — enforce npm ci (which uses package-lock.json for exact version pinning) in all CI/CD pipelines; consider enabling npm provenance verification for packages in sensitive build environments.
  • Review npm account security for internal packages — audit your organisation’s own npm publishing accounts for MFA enforcement and access key rotation; the same attack vector could be used against your organisation’s private npm packages.
  • Add @sap/* packages to your software composition analysis monitoring — ensure your SCA tooling tracks these packages for integrity changes and version anomalies going forward.

Share this article