SAP npm Supply Chain Compromise: TeamPCP Targets Enterprise CAP Development with Memory-Scraping Infostealer

TL;DR

TeamPCP has compromised four official SAP npm packages supporting enterprise Cloud Application Programming (CAP) development, injecting a sophisticated credential stealer that exfiltrates developer secrets and CI/CD tokens. The attack features a novel memory-scanning technique to bypass CI platform log masking.

What Happened

Four official SAP npm packages were compromised with malicious preinstall scripts, according to security research from Aikido, Socket.dev, and BleepingComputer:

• @cap-js/sqlite v2.2.2
• @cap-js/postgres v2.2.2
• @cap-js/db-service v2.10.1
• mbt v1.2.48

These packages power SAP's Cloud Application Programming Model (CAP) and Cloud Multitarget Application (MTA) frameworks—foundational tools for enterprise developers building on SAP's cloud platform. The compromised versions have been deprecated on npm, but any developer who installed them during the attack window is at immediate risk of credential compromise.

Technical Details

Attack Chain

The malicious preinstall script executes automatically upon package installation and chains three stages:

1. Loader stage: Downloads the Bun JavaScript runtime from GitHub

2. Obfuscation stage: Executes a heavily obfuscated execution.js payload

3. Information-stealing stage: Harvests credentials from both development machines and CI/CD environments

Memory-Scanning Breakthrough

Unlike previous supply-chain attacks, TeamPCP's SAP payload includes a novel technique to extract secrets directly from CI runner memory:

Reads /proc/<pid>/maps and /proc/<pid>/mem for the Runner.Worker process
Searches for secrets matching: "key": { "value": "...", "isSecret": true }
Bypasses all log masking applied by the CI platform

This memory-scanning technique is structurally identical to the method documented in both the Bitwarden and Checkmarx incidents—indicating TeamPCP's increasing sophistication in circumventing CI security controls.

Credential Targets

The stealer exfiltrates a comprehensive target set:

• Development credentials: npm tokens, GitHub tokens, SSH keys
• Cloud credentials: AWS, Azure, and Google Cloud authentication
• Kubernetes secrets: kubeconfig files and API credentials
• CI/CD environment: Pipeline secrets, runner environment variables

Data Exfiltration & Propagation

Harvested credentials are encrypted and uploaded to GitHub repositories created under the victim's account with the telltale description: "A Mini Shai-Hulud has Appeared" (echoing the Bitwarden attack's "Shai-Hulud: The Third Coming" marker).

The malware then uses GitHub commit searches as a dead-drop mechanism:

• Searches for commits matching OhNoWhatsGoingOnWithGitHub:<base64>
• Decodes matched commit messages into GitHub tokens
• Tests tokens for repository access

Finally, using stolen npm or GitHub credentials, the malware self-propagates—modifying other packages and repositories to inject the same payload and expand its reach across the supply chain.

Lyrie Assessment

This attack represents the maturation of supply-chain credential harvesting at the CI/CD layer. Three factors make SAP's compromise especially high-impact for Lyrie's audience:

1. **Enterprise Footprint**

SAP's CAP framework is deeply embedded in Fortune 500 development pipelines. Unlike consumer npm packages, compromised SAP tools touch enterprise CI/CD systems managing business-critical deployments.

2. **Memory-Scanning Evasion**

TeamPCP has weaponized kernel-level access (/proc/<pid>/mem) to bypass CI platform security controls. Organizations relying on GitHub Actions, GitLab CI, or Jenkins log masking have no visibility into stolen secrets—they're extracted before logging occurs. This is a critical signal that log-based secret detection is insufficient; defenders must monitor memory access patterns.

3. **Attribution & Recidivism Pattern**

TeamPCP's assault on Checkmarx, Trivy, Bitwarden, and now SAP reveals a systematic targeting of developer infrastructure & identity systems. The group is actively iterating on attack techniques (OIDC token theft → cache poisoning → memory scanning), suggesting autonomous CI compromise is now their primary operational mode.

Recommended Actions

Immediate (0-24 hours):

1. Audit package installations: Query npm and pip logs for the four SAP packages and any installation during late April 2026

2. Rotate all credentials: Assume compromise of npm tokens, GitHub tokens, SSH keys, and cloud credentials

3. CI/CD secret flush: Regenerate all GitHub Actions, GitLab CI, Jenkins, and CircleCI tokens and environment secrets

4. Kubernetes remediation: Rotate kubeconfig credentials and audit RBAC access logs for anomalies

Short-term (24-72 hours):

1. Forensic analysis: Examine /proc/<pid>/mem dumps and CI runner logs for evidence of memory access patterns matching Bun/JavaScript runtime loads

2. Supply chain blast radius: Map downstream dependencies on the four compromised SAP packages and alert affected teams

3. GitHub commit forensics: Search your organization's repositories for commits matching OhNoWhatsGoingOnWithGitHub:* (potential dead-drop messages)

Strategic:

1. Implement credential isolation: Isolate CI/CD secrets using short-lived credentials (OIDC tokens) rather than long-lived PATs

2. Memory-access monitoring: Deploy kernel-level monitoring (eBPF, auditd) to detect /proc/<pid>/mem reads in CI environments

3. Supply chain scanning: Integrate SHA256 verification and timeline analysis of package versions to detect unexpected version gaps

Sources

[1] https://www.bleepingcomputer.com/news/security/official-sap-npm-packages-compromised-to-steal-credentials/

[2] https://www.aikido.dev/blog/mini-shai-hulud-has-appeared

[3] https://socket.dev/blog/sap-cap-npm-packages-supply-chain-attack

[4] https://socradar.io/blog/checkmarx-jenkins-plugin-teampcp-backdoor/

[5] https://thehackernews.com/2026/05/teampcp-compromises-checkmarx-jenkins.html

Lyrie.ai Cyber Research Division