SAP npm Packages Compromised: TeamPCP Attack Discovered

Several official SAP npm packages have been compromised, indicating a TeamPCP attack aimed at stealing credentials and authentication tokens from developers' systems. The vulnerability was discovered by security experts who checked the integrity of the packages and found irregularities. The affected packages were widely used in the JavaScript community, significantly amplifying the impact of the attack. Developers who used these packages in their projects may have been unknowingly compromised. The exact number of affected users is currently unclear, but a significant spread is assumed.

Security researchers found that the attackers gained access to sensitive data by manipulating the packages. This was done by inserting malicious code that reached developers' systems upon downloading the packages. Analysis of the compromised packages revealed that the attackers specifically sought credentials to gain unauthorized access. SAP responded promptly by removing the affected packages from the npm repository. Additionally, all users who downloaded these packages were informed about the security vulnerability.

SAP recommends that developers check their systems for possible compromises and change their credentials. The vulnerability has also attracted the attention of government agencies, which classify the incidents as a serious threat to IT security. Experts warn that such attacks could increase in the future, especially as many companies rely on cloud services and open-source software. The TeamPCP group is known for its sophisticated attacks on software ecosystems. Previous incidents show that they are capable of circumventing security measures and specifically targeting developer communities.

The current situation may lead companies to rethink and strengthen their security protocols. The incidents also raise questions about the trustworthiness of open-source packages. Developers often rely on these packages to efficiently manage their projects, which also makes them vulnerable to attacks. The community is urged to remain vigilant and implement security practices to protect against similar incidents. A detailed technical analysis of the attacks is currently being conducted by security experts.

Initial reports suggest that the attackers may have also employed phishing techniques to obtain further information. The full investigation could take several weeks, while the security situation continues to be monitored. The vulnerability has been registered as CVE-2026-1234, underscoring the urgency of the situation. Developers and companies are urged to promptly check their systems and install security updates to protect against potential attacks. The incidents have already sparked a discussion about the need for improved security standards in software development.

Experts are calling for stronger collaboration between companies and the developer community to ensure the security of open-source packages. SAP has announced that it will provide further information on the incidents in the coming weeks and work on solutions to enhance the security of its packages. An update on the situation is expected on May 15, 2026.