29MAY

Three supply-chain hits in thirteen days

3 min read

14:17UTC

Official SAP npm packages, 73 OpenVSX VS Code extensions and a 1.1 million-download PyPI package were all compromised inside thirteen days at the end of April.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

The developer's laptop trusting a public registry is now the perimeter.

The TeamPCP campaign compromised official SAP npm packages at the end of April, stealing developer credentials and authentication tokens ¹. GlassWorm turned 73 dormant OpenVSX Visual Studio Code extensions malicious on Monday 27 April after staged updates pushed payloads into previously trusted plugins. A PyPI package with 1.1 million monthly downloads was found distributing infostealer malware late in the window. Three separate actors hit the developer toolchain in thirteen days.

The wave repositions where defenders sit. Cumulatively, the developer toolchain has become a primary lateral-movement substrate, and the defender is no longer the IT team blocking traffic at the corporate edge but the developer's laptop trusting a public registry. TeamPCP is the first direct hit against a top-tier vendor's official packages in the window, which puts a tier-one enterprise software estate on the exposure list rather than the long-tail small-package population that prior supply-chain campaigns favoured.

The build-time controls that matter (lockfile pinning to known-good commits, allow-listed registry mirrors, signed manifests, software bills of materials) have been an underinvested category at most enterprises and a particular weak spot at growth-stage technology firms. The same week that Mandiant disclosed UNC6692 running cloud command-and-control on AWS and Heroku, the supply-chain wave compounds the developer-toolchain attack surface from a different vector. Coverage of the parallel DOJ ALPHV insider-threat conviction shows that the build-pipeline trust problem is not unique to public registries. For CISOs whose engineers run `npm install` and `pip install` against public registries, defender posture has materially worsened in two weeks, and the procurement question for build-pipeline tooling has moved from optional to acute.

Deep Analysis

In plain English

Software developers use package managers, automated tools that download and install code written by other developers, to build software faster. Three separate attacks in thirteen days injected malicious code into official packages that developers trust: SAP's developer tools, 73 VS Code editor plugins, and a widely downloaded Python package. Any developer who downloaded these during the attack window may have installed malware onto their work computer. Unlike traditional hacking, these attacks required no mistake by the developer; the malware came disguised as legitimate, trusted software.

Deep Analysis

Root Causes

Package registries (npm, PyPI, OpenVSX) operate on a model of delegated trust: a package published by a verified namespace is treated as trustworthy by every downstream consumer without further verification of the binary content. This model works as long as the namespace owner maintains exclusive control of their signing credentials and publishing pipeline.

When either is compromised, the registry's trust model becomes an attacker multiplier: every developer who runs `npm install` or `pip install` in the window between publication and takedown becomes a victim without any action on their part.

The GlassWorm dormant-extension vector exploits a second structural gap: extension registries do not retire or flag packages whose maintainers have abandoned them, because abandonment is indistinguishable from low-maintenance active stewardship. An attacker who registers a near-abandoned package's namespace clone, waits for the original to go dormant, and then pushes a staged update exploits the continuity of trust the registry extends to historical packages.

What could happen next?

Consequence
Enterprises running SAP-dependent development pipelines should assume developer credentials and authentication tokens were potentially exfiltrated in the TeamPCP window and rotate affected credentials.
Immediate · 0.85
Risk
Any organisation whose developers use VS Code with OpenVSX extensions and have not audited their extension set since 27 April faces unresolved exposure from GlassWorm payloads on developer endpoints.
Immediate · 0.8
Precedent
TeamPCP's breach of an official SAP vendor namespace will accelerate SBOM mandate enforcement timelines for enterprise software procurement, as the attack class demonstrates that package origin alone is insufficient for supply-chain assurance.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2020 SolarWinds Orion supply-chain compromise, in which tampered build artefacts were signed with SolarWinds' own certificate and distributed to 18,000 customers as a legitimate update, is the direct structural precedent for TeamPCP's compromise of an official vendor namespace.

In both cases, the attacker gained access to the build or publish pipeline of a trusted software vendor, allowing malicious code to inherit the vendor's trust credentials. SolarWinds SUNBURST remained undetected for nine months; TeamPCP's SAP npm vector was caught within days, suggesting that developer-supply-chain detection tooling has matured since 2020, though not yet to the point of prevention.

Counter-parallel: The 2018 event-stream npm attack targeted a single maintainer's abandoned package, injecting malicious code into a downstream dependency affecting cryptocurrency wallets. Event-stream was caught by a developer community review within weeks; it affected a narrow target class.

TeamPCP's target is SAP's enterprise developer ecosystem, meaning the credential-theft payload lands in environments with access to ERP (enterprise resource planning) systems, payroll databases and customer records. Event-stream compromised wallets holding thousands of dollars; TeamPCP's payload reaches systems holding millions of customer records.

Consensus view: Snyk's developer security research team notes that the TeamPCP compromise of official SAP npm packages marks a qualitative escalation in supply-chain targeting: prior campaigns (XZ Utils, event-stream, Node-ipc) targeted open-source packages with small maintainer Teams who could be socially engineered or impersonated.

Compromising official packages published under a Fortune 500 vendor's namespace requires either a compromised developer account with signing authority or a breach of the vendor's CI/CD pipeline; both are significantly harder targets than an orphaned open-source package. The SAP compromise therefore signals that attackers are moving up the trust hierarchy from orphaned open-source packages to tier-one vendor namespaces.

Counter-view: The OpenSSF (Open Source Security Foundation) cautions that the GlassWorm campaign against 73 dormant OpenVSX extensions exploits a known gap that OpenVSX has been aware of since 2023: extension registries treat dormant packages as low-risk when they are in fact high-risk because their maintainers have stopped monitoring for update alerts.

OpenSSF's prior advocacy for mandatory maintainer activity checks has not been implemented by OpenVSX. The three-wave attack is therefore not an escalation but the predictable exploitation of a known unmitigated gap.

Key tension: Whether software bill of materials (SBOM) mandates, as required under US Executive Order 14028 for federal software procurement, will mature quickly enough to catch vendored-namespace supply-chain attacks like TeamPCP, where the package appears legitimate at every SBOM level but the binary content has been tampered.

Sources:Bleeping Computer

Mentions:SAP →Node.js →Orion →Fortune →Mandiant →ALPHV →SolarWinds →Heroku →AWS →Department of Justice →OpenVSX →PyPI →GlassWorm →UNC6780 →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Bleeping Computer· 30 Apr 2026

Read original →

Causes and effects

Caused by

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

UNC1069's Axios compromise is the fourth developer-toolchain attack in five weeks, following the TeamPCP/SAP npm, GlassWorm/OpenVSX, and PyPI infostealer events in the supply-chain cluster.

Occurred 5 May 2026

Read story →

This Event

Three supply-chain hits in thirteen days

Build-time supply chain has become primary attack surface; the developer's laptop trusting a registry is now the perimeter, not the corporate firewall.

Led to

GitHub's own code cloned via add-on

The GitHub internal repository breach is the latest step in the same supply-chain wave that hit SAP npm packages, OpenVSX extensions and PyPI in the prior fortnight.

Occurred 18 May 2026

Read story →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.