7JUN

Three supply-chain hits in thirteen days

3 min read

10:08UTC

Official SAP npm packages, 73 OpenVSX VS Code extensions and a 1.1 million-download PyPI package were all compromised inside thirteen days at the end of April.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

The developer's laptop trusting a public registry is now the perimeter.

The TeamPCP campaign compromised official SAP npm packages at the end of April, stealing developer credentials and authentication tokens ¹. GlassWorm turned 73 dormant OpenVSX Visual Studio Code extensions malicious on Monday 27 April after staged updates pushed payloads into previously trusted plugins. A PyPI package with 1.1 million monthly downloads was found distributing infostealer malware late in the window. Three separate actors hit the developer toolchain in thirteen days.

The wave repositions where defenders sit. Cumulatively, the developer toolchain has become a primary lateral-movement substrate, and the defender is no longer the IT team blocking traffic at the corporate edge but the developer's laptop trusting a public registry. TeamPCP is the first direct hit against a top-tier vendor's official packages in the window, which puts a tier-one enterprise software estate on the exposure list rather than the long-tail small-package population that prior supply-chain campaigns favoured.

The build-time controls that matter (lockfile pinning to known-good commits, allow-listed registry mirrors, signed manifests, software bills of materials) have been an underinvested category at most enterprises and a particular weak spot at growth-stage technology firms. The same week that Mandiant disclosed UNC6692 running cloud command-and-control on AWS and Heroku, the supply-chain wave compounds the developer-toolchain attack surface from a different vector. Coverage of the parallel DOJ ALPHV insider-threat conviction shows that the build-pipeline trust problem is not unique to public registries. For CISOs whose engineers run `npm install` and `pip install` against public registries, defender posture has materially worsened in two weeks, and the procurement question for build-pipeline tooling has moved from optional to acute.

Deep Analysis

In plain English

Software developers use package managers, automated tools that download and install code written by other developers, to build software faster. Three separate attacks in thirteen days injected malicious code into official packages that developers trust: SAP's developer tools, 73 VS Code editor plugins, and a widely downloaded Python package. Any developer who downloaded these during the attack window may have installed malware onto their work computer. Unlike traditional hacking, these attacks required no mistake by the developer; the malware came disguised as legitimate, trusted software.

Deep Analysis

Root Causes

Package registries (npm, PyPI, OpenVSX) operate on a model of delegated trust: a package published by a verified namespace is treated as trustworthy by every downstream consumer without further verification of the binary content. This model works as long as the namespace owner maintains exclusive control of their signing credentials and publishing pipeline.

When either is compromised, the registry's trust model becomes an attacker multiplier: every developer who runs `npm install` or `pip install` in the window between publication and takedown becomes a victim without any action on their part.

The GlassWorm dormant-extension vector exploits a second structural gap: extension registries do not retire or flag packages whose maintainers have abandoned them, because abandonment is indistinguishable from low-maintenance active stewardship. An attacker who registers a near-abandoned package's namespace clone, waits for the original to go dormant, and then pushes a staged update exploits the continuity of trust the registry extends to historical packages.

What could happen next?

Consequence
Enterprises running SAP-dependent development pipelines should assume developer credentials and authentication tokens were potentially exfiltrated in the TeamPCP window and rotate affected credentials.
Immediate · 0.85
Risk
Any organisation whose developers use VS Code with OpenVSX extensions and have not audited their extension set since 27 April faces unresolved exposure from GlassWorm payloads on developer endpoints.
Immediate · 0.8
Precedent
TeamPCP's breach of an official SAP vendor namespace will accelerate SBOM mandate enforcement timelines for enterprise software procurement, as the attack class demonstrates that package origin alone is insufficient for supply-chain assurance.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2020 SolarWinds Orion supply-chain compromise, in which tampered build artefacts were signed with SolarWinds' own certificate and distributed to 18,000 customers as a legitimate update, is the direct structural precedent for TeamPCP's compromise of an official vendor namespace.

In both cases, the attacker gained access to the build or publish pipeline of a trusted software vendor, allowing malicious code to inherit the vendor's trust credentials. SolarWinds SUNBURST remained undetected for nine months; TeamPCP's SAP npm vector was caught within days, suggesting that developer-supply-chain detection tooling has matured since 2020, though not yet to the point of prevention.

Counter-parallel: The 2018 event-stream npm attack targeted a single maintainer's abandoned package, injecting malicious code into a downstream dependency affecting cryptocurrency wallets. Event-stream was caught by a developer Community review within weeks; it affected a narrow target class.

TeamPCP's target is SAP's enterprise developer ecosystem, meaning the credential-theft payload lands in environments with access to ERP (enterprise resource planning) systems, payroll databases and customer records. Event-stream compromised wallets holding thousands of dollars; TeamPCP's payload reaches systems holding millions of customer records.

Consensus view: Snyk's developer security research team notes that the TeamPCP compromise of official SAP npm packages marks a qualitative escalation in supply-chain targeting: prior campaigns (XZ Utils, event-stream, Node-ipc) targeted open-source packages with small maintainer teams who could be socially engineered or impersonated.

Compromising official packages published under a Fortune 500 vendor's namespace requires either a compromised developer account with signing authority or a breach of the vendor's CI/CD pipeline; both are significantly harder targets than an orphaned open-source package. The SAP compromise therefore signals that attackers are moving up the trust hierarchy from orphaned open-source packages to tier-one vendor namespaces.

Counter-view: The OpenSSF (Open Source Security Foundation) cautions that the GlassWorm campaign against 73 dormant OpenVSX extensions exploits a known gap that OpenVSX has been aware of since 2023: extension registries treat dormant packages as low-risk when they are in fact high-risk because their maintainers have stopped monitoring for update alerts.

OpenSSF's prior advocacy for mandatory maintainer activity checks has not been implemented by OpenVSX. The three-wave attack is therefore not an escalation but the predictable exploitation of a known unmitigated gap.

Key tension: Whether software bill of materials (SBOM) mandates, as required under US Executive Order 14028 for federal software procurement, will mature quickly enough to catch vendored-namespace supply-chain attacks like TeamPCP, where the package appears legitimate at every SBOM level but the binary content has been tampered.

Sources:Bleeping Computer

Mentions:SAP →Node.js →Orion →Fortune →Mandiant →ALPHV →SolarWinds →Heroku →AWS →Department of Justice →OpenVSX →PyPI →GlassWorm →UNC6780 →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Bleeping Computer· 30 Apr 2026

Read original →

Causes and effects

Caused by

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

UNC1069's Axios compromise is the fourth developer-toolchain attack in five weeks, following the TeamPCP/SAP npm, GlassWorm/OpenVSX, and PyPI infostealer events in the supply-chain cluster.

Occurred 5 May 2026

Read story →

This Event

Three supply-chain hits in thirteen days

Build-time supply chain has become primary attack surface; the developer's laptop trusting a registry is now the perimeter, not the corporate firewall.

Led to

GitHub's own code cloned via add-on

The GitHub internal repository breach is the latest step in the same supply-chain wave that hit SAP npm packages, OpenVSX extensions and PyPI in the prior fortnight.

Occurred 18 May 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.