Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

Three supply-chain hits in thirteen days

3 min read
10:57UTC

Official SAP npm packages, 73 OpenVSX VS Code extensions and a 1.1 million-download PyPI package were all compromised inside thirteen days at the end of April.

TechnologyDeveloping
Key takeaway

The developer's laptop trusting a public registry is now the perimeter.

The TeamPCP campaign compromised official SAP npm packages at the end of April, stealing developer credentials and authentication tokens 1. GlassWorm turned 73 dormant OpenVSX Visual Studio Code extensions malicious on Monday 27 April after staged updates pushed payloads into previously trusted plugins. A PyPI package with 1.1 million monthly downloads was found distributing infostealer malware late in the window. Three separate actors hit the developer toolchain in thirteen days.

The wave repositions where defenders sit. Cumulatively, the developer toolchain has become a primary lateral-movement substrate, and the defender is no longer the IT team blocking traffic at the corporate edge but the developer's laptop trusting a public registry. TeamPCP is the first direct hit against a top-tier vendor's official packages in the window, which puts a tier-one enterprise software estate on the exposure list rather than the long-tail small-package population that prior supply-chain campaigns favoured.

The build-time controls that matter (lockfile pinning to known-good commits, allow-listed registry mirrors, signed manifests, software bills of materials) have been an underinvested category at most enterprises and a particular weak spot at growth-stage technology firms. The same week that Mandiant disclosed UNC6692 running cloud command-and-control on AWS and Heroku, the supply-chain wave compounds the developer-toolchain attack surface from a different vector. Coverage of the parallel DOJ ALPHV insider-threat conviction shows that the build-pipeline trust problem is not unique to public registries. For CISOs whose engineers run `npm install` and `pip install` against public registries, defender posture has materially worsened in two weeks, and the procurement question for build-pipeline tooling has moved from optional to acute.

Deep Analysis

In plain English

Software developers use package managers, automated tools that download and install code written by other developers, to build software faster. Three separate attacks in thirteen days injected malicious code into official packages that developers trust: SAP's developer tools, 73 VS Code editor plugins, and a widely downloaded Python package. Any developer who downloaded these during the attack window may have installed malware onto their work computer. Unlike traditional hacking, these attacks required no mistake by the developer; the malware came disguised as legitimate, trusted software.

Deep Analysis
Root Causes

Package registries (npm, PyPI, OpenVSX) operate on a model of delegated trust: a package published by a verified namespace is treated as trustworthy by every downstream consumer without further verification of the binary content. This model works as long as the namespace owner maintains exclusive control of their signing credentials and publishing pipeline.

When either is compromised, the registry's trust model becomes an attacker multiplier: every developer who runs `npm install` or `pip install` in the window between publication and takedown becomes a victim without any action on their part.

The GlassWorm dormant-extension vector exploits a second structural gap: extension registries do not retire or flag packages whose maintainers have abandoned them, because abandonment is indistinguishable from low-maintenance active stewardship. An attacker who registers a near-abandoned package's namespace clone, waits for the original to go dormant, and then pushes a staged update exploits the continuity of trust the registry extends to historical packages.

What could happen next?
  • Consequence

    Enterprises running SAP-dependent development pipelines should assume developer credentials and authentication tokens were potentially exfiltrated in the TeamPCP window and rotate affected credentials.

    Immediate · 0.85
  • Risk

    Any organisation whose developers use VS Code with OpenVSX extensions and have not audited their extension set since 27 April faces unresolved exposure from GlassWorm payloads on developer endpoints.

    Immediate · 0.8
  • Precedent

    TeamPCP's breach of an official SAP vendor namespace will accelerate SBOM mandate enforcement timelines for enterprise software procurement, as the attack class demonstrates that package origin alone is insufficient for supply-chain assurance.

    Medium term · 0.75
First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Bleeping Computer· 30 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.