
Node.js
Open-source JavaScript runtime; its npm package manager was exploited via the TeamPCP supply-chain attack on SAP packages.
Last refreshed: 30 April 2026 · Appears in 1 active topic
If developers cannot trust official npm packages, where is the trust boundary?
Timeline for Node.js
Mentioned in: GitHub's own code cloned via add-on
Cybersecurity: Threats and DefencesMentioned in: Three supply-chain hits in thirteen days
Cybersecurity: Threats and DefencesWhat is Node.js and why is it important?
How many packages are on npm?
Did the SAP npm compromise affect Node.js?
Background
Node.js is an open-source JavaScript runtime that lets developers execute JavaScript outside the browser, on servers and development machines. Ryan Dahl created Node.js in 2009 to bring JavaScript's event-driven, non-blocking model to backend application development. The project is now maintained by the OpenJS Foundation, a vendor-neutral governance body. Node.js is the de facto runtime for most modern web applications, microservices, and command-line tools. The npm (Node Package Manager) registry, maintained separately, distributes over 2 million third-party libraries that developers install via `npm install` commands during development and build time. This split—the runtime maintained by OpenJS, the package registry operated by npm Inc (a GitHub subsidiary)—makes Node.js a critical dependency for the modern development toolchain.
On 29 April 2026, official SAP npm packages were compromised in the TeamPCP supply-chain attack, stealing developer credentials and authentication tokens from engineers running `npm install` . SAP, a top-tier enterprise software vendor, ships npm packages for its developer-tooling suite; engineers building applications that integrate with SAP systems run these packages as a trusted installation step. The TeamPCP compromise represents the first direct hit against a major vendor's official npm packages in this threat cycle. In the same thirteen-day window, GlassWorm malware turned 73 dormant Visual Studio Code extensions malicious, and a PyPI package with 1.1 million monthly downloads distributed infostealer malware. The pattern is structural: the developer toolchain (package managers like npm and pip, extension registries, build-time dependencies) has become a primary lateral-movement substrate. For organisations with engineers running `npm install` against public registries without build-time controls (lockfile pinning, allow-listed registries, signed manifests), the risk profile has materially worsened.