TeamPCP
Supply-chain attack compromising official SAP npm packages on 29 April 2026 to steal developer credentials.
Last refreshed: 30 April 2026 · Appears in 1 active topic
How do you vet an official vendor npm package for supply-chain compromise before your build pipeline runs it?
Timeline for TeamPCP
Mentioned in: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing
Cybersecurity: Threats and DefencesCompromised official SAP npm packages to steal developer credentials and authentication tokens
Cybersecurity: Threats and Defences: Three supply-chain hits in thirteen days- Which SAP npm packages were compromised in the TeamPCP attack?
- The full list was not specified in initial reporting. Organisations using SAP JavaScript tooling should audit their npm lockfiles for packages updated on or around 29 April 2026 and rotate any affected credentials.Source: Bleeping Computer
- How can I tell if my organisation was affected by the SAP npm TeamPCP supply-chain attack?
- Review npm install logs for SAP package updates around 29 April 2026. Examine developer workstations for unexpected credential use. Rotate any tokens held by engineers who ran npm install on SAP packages during the compromise window.Source: Bleeping Computer
- Why is an attack on official SAP npm packages more dangerous than a typosquat?
- Official vendor packages are trusted by default by build systems and security scanners. Typosquats are caught by name-matching checks; a compromise of an authentic package bypasses those controls entirely, reaching organisations that had explicitly approved SAP packages in their allow-lists.
Background
TeamPCP is the designation for a supply-chain attack campaign that compromised multiple official SAP npm packages on 29 April 2026, injecting credential-stealing code to harvest developer authentication tokens and secrets from the build environments of organisations using SAP's open-source JavaScript toolchain. The attack is significant because the compromised packages were official SAP-published entries in the npm registry, not typosquat impostors — a direct hit against a top-tier enterprise vendor's authenticated software distribution channel.
The TeamPCP compromise arrived as the third in a cluster of developer-toolchain supply-chain attacks within thirteen days: GlassWorm turned 73 dormant OpenVSX VS Code extensions malicious on 27 April; a PyPI package with 1.1 million monthly downloads was found distributing infostealer malware; and TeamPCP hit SAP's official npm packages two days later. Whether the three incidents are co-ordinated or represent opportunistic copycat escalation has not been confirmed. SAP serves over 100,000 enterprise customers globally across finance, manufacturing, and logistics sectors.
TeamPCP illustrates the structural risk the developer toolchain presents as an attack surface: a single compromised package in a trusted vendor's official registry can reach millions of downstream build environments in hours. The credential-theft payload targets authentication tokens developers hold for internal systems, cloud providers, and CI/CD pipelines — precisely the lateral-movement substrate a post-initial-access attacker would exploit.