14JUN

Three supply-chain hits in thirteen days

3 min read

11:51UTC

Official SAP npm packages, 73 OpenVSX VS Code extensions and a 1.1 million-download PyPI package were all compromised inside thirteen days at the end of April.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

The developer's laptop trusting a public registry is now the perimeter.

The TeamPCP campaign compromised official SAP npm packages at the end of April, stealing developer credentials and authentication tokens ¹. GlassWorm turned 73 dormant OpenVSX Visual Studio Code extensions malicious on Monday 27 April after staged updates pushed payloads into previously trusted plugins. A PyPI package with 1.1 million monthly downloads was found distributing infostealer malware late in the window. Three separate actors hit the developer toolchain in thirteen days.

The wave repositions where defenders sit. Cumulatively, the developer toolchain has become a primary lateral-movement substrate, and the defender is no longer the IT team blocking traffic at the corporate edge but the developer's laptop trusting a public registry. TeamPCP is the first direct hit against a top-tier vendor's official packages in the window, which puts a tier-one enterprise software estate on the exposure list rather than the long-tail small-package population that prior supply-chain campaigns favoured.

The build-time controls that matter (lockfile pinning to known-good commits, allow-listed registry mirrors, signed manifests, software bills of materials) have been an underinvested category at most enterprises and a particular weak spot at growth-stage technology firms. The same week that Mandiant disclosed UNC6692 running cloud command-and-control on AWS and Heroku, the supply-chain wave compounds the developer-toolchain attack surface from a different vector. Coverage of the parallel DOJ ALPHV insider-threat conviction shows that the build-pipeline trust problem is not unique to public registries. For CISOs whose engineers run `npm install` and `pip install` against public registries, defender posture has materially worsened in two weeks, and the procurement question for build-pipeline tooling has moved from optional to acute.

Deep Analysis

In plain English

Software developers use package managers, automated tools that download and install code written by other developers, to build software faster. Three separate attacks in thirteen days injected malicious code into official packages that developers trust: SAP's developer tools, 73 VS Code editor plugins, and a widely downloaded Python package. Any developer who downloaded these during the attack window may have installed malware onto their work computer. Unlike traditional hacking, these attacks required no mistake by the developer; the malware came disguised as legitimate, trusted software.

Deep Analysis

Root Causes

Package registries (npm, PyPI, OpenVSX) operate on a model of delegated trust: a package published by a verified namespace is treated as trustworthy by every downstream consumer without further verification of the binary content. This model works as long as the namespace owner maintains exclusive control of their signing credentials and publishing pipeline.

When either is compromised, the registry's trust model becomes an attacker multiplier: every developer who runs `npm install` or `pip install` in the window between publication and takedown becomes a victim without any action on their part.

The GlassWorm dormant-extension vector exploits a second structural gap: extension registries do not retire or flag packages whose maintainers have abandoned them, because abandonment is indistinguishable from low-maintenance active stewardship. An attacker who registers a near-abandoned package's namespace clone, waits for the original to go dormant, and then pushes a staged update exploits the continuity of trust the registry extends to historical packages.

What could happen next?

Consequence
Enterprises running SAP-dependent development pipelines should assume developer credentials and authentication tokens were potentially exfiltrated in the TeamPCP window and rotate affected credentials.
Immediate · 0.85
Risk
Any organisation whose developers use VS Code with OpenVSX extensions and have not audited their extension set since 27 April faces unresolved exposure from GlassWorm payloads on developer endpoints.
Immediate · 0.8
Precedent
TeamPCP's breach of an official SAP vendor namespace will accelerate SBOM mandate enforcement timelines for enterprise software procurement, as the attack class demonstrates that package origin alone is insufficient for supply-chain assurance.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2020 SolarWinds Orion supply-chain compromise, in which tampered build artefacts were signed with SolarWinds' own certificate and distributed to 18,000 customers as a legitimate update, is the direct structural precedent for TeamPCP's compromise of an official vendor namespace.

In both cases, the attacker gained access to the build or publish pipeline of a trusted software vendor, allowing malicious code to inherit the vendor's trust credentials. SolarWinds SUNBURST remained undetected for nine months; TeamPCP's SAP npm vector was caught within days, suggesting that developer-supply-chain detection tooling has matured since 2020, though not yet to the point of prevention.

Counter-parallel: The 2018 event-stream npm attack targeted a single maintainer's abandoned package, injecting malicious code into a downstream dependency affecting cryptocurrency wallets. Event-stream was caught by a developer Community review within weeks; it affected a narrow target class.

TeamPCP's target is SAP's enterprise developer ecosystem, meaning the credential-theft payload lands in environments with access to ERP (enterprise resource planning) systems, payroll databases and customer records. Event-stream compromised wallets holding thousands of dollars; TeamPCP's payload reaches systems holding millions of customer records.

Consensus view: Snyk's developer security research team notes that the TeamPCP compromise of official SAP npm packages marks a qualitative escalation in supply-chain targeting: prior campaigns (XZ Utils, event-stream, Node-ipc) targeted open-source packages with small maintainer Teams who could be socially engineered or impersonated.

Compromising official packages published under a Fortune 500 vendor's namespace requires either a compromised developer account with signing authority or a breach of the vendor's CI/CD pipeline; both are significantly harder targets than an orphaned open-source package. The SAP compromise therefore signals that attackers are moving up the trust hierarchy from orphaned open-source packages to tier-one vendor namespaces.

Counter-view: The OpenSSF (Open Source Security Foundation) cautions that the GlassWorm campaign against 73 dormant OpenVSX extensions exploits a known gap that OpenVSX has been aware of since 2023: extension registries treat dormant packages as low-risk when they are in fact high-risk because their maintainers have stopped monitoring for update alerts.

OpenSSF's prior advocacy for mandatory maintainer activity checks has not been implemented by OpenVSX. The three-wave attack is therefore not an escalation but the predictable exploitation of a known unmitigated gap.

Key tension: Whether software bill of materials (SBOM) mandates, as required under US Executive Order 14028 for federal software procurement, will mature quickly enough to catch vendored-namespace supply-chain attacks like TeamPCP, where the package appears legitimate at every SBOM level but the binary content has been tampered.

Sources:Bleeping Computer

Mentions:SAP →Node.js →Orion →Fortune →Mandiant →ALPHV →SolarWinds →Heroku →AWS →Department of Justice →OpenVSX →PyPI →GlassWorm →UNC6780 →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Bleeping Computer· 30 Apr 2026

Read original →

Causes and effects

Caused by

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

UNC1069's Axios compromise is the fourth developer-toolchain attack in five weeks, following the TeamPCP/SAP npm, GlassWorm/OpenVSX, and PyPI infostealer events in the supply-chain cluster.

Occurred 5 May 2026

Read story →

This Event

Three supply-chain hits in thirteen days

Build-time supply chain has become primary attack surface; the developer's laptop trusting a registry is now the perimeter, not the corporate firewall.

Led to

GitHub's own code cloned via add-on

The GitHub internal repository breach is the latest step in the same supply-chain wave that hit SAP npm packages, OpenVSX extensions and PyPI in the prior fortnight.

Occurred 18 May 2026

Read story →

Attack worm kit now open-sourced freely

The TeamPCP SAP npm and PyPI supply-chain attacks established the developer-toolchain attack surface; Shai-Hulud's open-source release and Phantom Gyp turn that surface into a commodity kit.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.