30APR

Three supply-chain hits in thirteen days

3 min read

08:16UTC

Official SAP npm packages, 73 OpenVSX VS Code extensions and a 1.1 million-download PyPI package were all compromised inside thirteen days at the end of April.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyDeveloping

Key takeaway

The developer's laptop trusting a public registry is now the perimeter.

The TeamPCP campaign compromised official SAP npm packages at the end of April, stealing developer credentials and authentication tokens ¹. GlassWorm turned 73 dormant OpenVSX Visual Studio Code extensions malicious on Monday 27 April after staged updates pushed payloads into previously trusted plugins. A PyPI package with 1.1 million monthly downloads was found distributing infostealer malware late in the window. Three separate actors hit the developer toolchain in thirteen days.

The wave repositions where defenders sit. Cumulatively, the developer toolchain has become a primary lateral-movement substrate, and the defender is no longer the IT team blocking traffic at the corporate edge but the developer's laptop trusting a public registry. TeamPCP is the first direct hit against a top-tier vendor's official packages in the window, which puts a tier-one enterprise software estate on the exposure list rather than the long-tail small-package population that prior supply-chain campaigns favoured.

The build-time controls that matter (lockfile pinning to known-good commits, allow-listed registry mirrors, signed manifests, software bills of materials) have been an underinvested category at most enterprises and a particular weak spot at growth-stage technology firms. The same week that Mandiant disclosed UNC6692 running cloud command-and-control on AWS and Heroku, the supply-chain wave compounds the developer-toolchain attack surface from a different vector. Coverage of the parallel DOJ ALPHV insider-threat conviction shows that the build-pipeline trust problem is not unique to public registries. For CISOs whose engineers run `npm install` and `pip install` against public registries, defender posture has materially worsened in two weeks, and the procurement question for build-pipeline tooling has moved from optional to acute.

Deep Analysis

In plain English

Software developers use package managers, automated tools that download and install code written by other developers, to build software faster. Three separate attacks in thirteen days injected malicious code into official packages that developers trust: SAP's developer tools, 73 VS Code editor plugins, and a widely downloaded Python package. Any developer who downloaded these during the attack window may have installed malware onto their work computer. Unlike traditional hacking, these attacks required no mistake by the developer; the malware came disguised as legitimate, trusted software.

Deep Analysis

Root Causes

Package registries (npm, PyPI, OpenVSX) operate on a model of delegated trust: a package published by a verified namespace is treated as trustworthy by every downstream consumer without further verification of the binary content. This model works as long as the namespace owner maintains exclusive control of their signing credentials and publishing pipeline.

When either is compromised, the registry's trust model becomes an attacker multiplier: every developer who runs `npm install` or `pip install` in the window between publication and takedown becomes a victim without any action on their part.

The GlassWorm dormant-extension vector exploits a second structural gap: extension registries do not retire or flag packages whose maintainers have abandoned them, because abandonment is indistinguishable from low-maintenance active stewardship. An attacker who registers a near-abandoned package's namespace clone, waits for the original to go dormant, and then pushes a staged update exploits the continuity of trust the registry extends to historical packages.

What could happen next?

Consequence
Enterprises running SAP-dependent development pipelines should assume developer credentials and authentication tokens were potentially exfiltrated in the TeamPCP window and rotate affected credentials.
Immediate · 0.85
Risk
Any organisation whose developers use VS Code with OpenVSX extensions and have not audited their extension set since 27 April faces unresolved exposure from GlassWorm payloads on developer endpoints.
Immediate · 0.8
Precedent
TeamPCP's breach of an official SAP vendor namespace will accelerate SBOM mandate enforcement timelines for enterprise software procurement, as the attack class demonstrates that package origin alone is insufficient for supply-chain assurance.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2020 SolarWinds Orion supply-chain compromise, in which tampered build artefacts were signed with SolarWinds' own certificate and distributed to 18,000 customers as a legitimate update, is the direct structural precedent for TeamPCP's compromise of an official vendor namespace.

In both cases, the attacker gained access to the build or publish pipeline of a trusted software vendor, allowing malicious code to inherit the vendor's trust credentials. SolarWinds SUNBURST remained undetected for nine months; TeamPCP's SAP npm vector was caught within days, suggesting that developer-supply-chain detection tooling has matured since 2020, though not yet to the point of prevention.

Counter-parallel: The 2018 event-stream npm attack targeted a single maintainer's abandoned package, injecting malicious code into a downstream dependency affecting cryptocurrency wallets. Event-stream was caught by a developer Community review within weeks; it affected a narrow target class.

TeamPCP's target is SAP's enterprise developer ecosystem, meaning the credential-theft payload lands in environments with access to ERP (enterprise resource planning) systems, payroll databases and customer records. Event-stream compromised wallets holding thousands of dollars; TeamPCP's payload reaches systems holding millions of customer records.

Consensus view: Snyk's developer security research team notes that the TeamPCP compromise of official SAP npm packages marks a qualitative escalation in supply-chain targeting: prior campaigns (XZ Utils, event-stream, Node-ipc) targeted open-source packages with small maintainer Teams who could be socially engineered or impersonated.

Compromising official packages published under a Fortune 500 vendor's namespace requires either a compromised developer account with signing authority or a breach of the vendor's CI/CD pipeline; both are significantly harder targets than an orphaned open-source package. The SAP compromise therefore signals that attackers are moving up the trust hierarchy from orphaned open-source packages to tier-one vendor namespaces.

Counter-view: The OpenSSF (Open Source Security Foundation) cautions that the GlassWorm campaign against 73 dormant OpenVSX extensions exploits a known gap that OpenVSX has been aware of since 2023: extension registries treat dormant packages as low-risk when they are in fact high-risk because their maintainers have stopped monitoring for update alerts.

OpenSSF's prior advocacy for mandatory maintainer activity checks has not been implemented by OpenVSX. The three-wave attack is therefore not an escalation but the predictable exploitation of a known unmitigated gap.

Key tension: Whether software bill of materials (SBOM) mandates, as required under US Executive Order 14028 for federal software procurement, will mature quickly enough to catch vendored-namespace supply-chain attacks like TeamPCP, where the package appears legitimate at every SBOM level but the binary content has been tampered.

Sources:Bleeping Computer

Mentions:SAP →Node.js →Orion →Fortune →UNC6692 →Mandiant →ALPHV →SolarWinds →Heroku →AWS →Department of Justice →OpenVSX →PyPI →TeamPCP →GlassWorm →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Bleeping Computer· 30 Apr 2026

Read original →

Causes and effects

Caused by

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

UNC1069's Axios compromise is the fourth developer-toolchain attack in five weeks, following the TeamPCP/SAP npm, GlassWorm/OpenVSX, and PyPI infostealer events in the supply-chain cluster.

Occurred 5 May 2026

Read story →

This Event

Three supply-chain hits in thirteen days

Build-time supply chain has become primary attack surface; the developer's laptop trusting a registry is now the perimeter, not the corporate firewall.

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.