Sap : ce qu'il faut savoir

SAP npm packages poisoned on April 29, 2026 + AES-256-GCM encrypted credential theft + AI coding tools abused for spread. Sap s'impose comme l'un des sujets qui mobilisent l'attention en Brazil ce jeudi.

Les faits

• SAP npm packages poisoned on April 29, 2026 + AES-256-GCM encrypted credential theft + AI coding tools abused for spread.
• Compromised SAP npm packages use a Bun-based preinstall payload to steal GitHub, npm, cloud, and CI secrets, then spread via GitHub using OhNoWhatsGoingOnWithGitHub.
• A new npm supply-chain compromise is targeting the SAP developer ecosystem.
• Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware.
• Update 1520 UTC, 30 April 2026: Two additional packages were trojanized today:.

L'essentiel

Dans le détail, Compromised SAP npm packages use a Bun-based preinstall payload to steal GitHub, npm, cloud, and CI secrets, then spread via GitHub using OhNoWhatsGoingOnWithGitHub.

Sur le fond, a new npm supply-chain compromise is targeting the SAP developer ecosystem.

Concrètement, Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware.

Au-delà de ce constat, Update 1520 UTC, 30 April 2026: Two additional packages were trojanized today:.

Reste à préciser que the mechanisms are substantially similar, using the same naming scheme (word1-word2-number) and the same repo description “"Checkmarx Configuration Storage" The biggest change is that the SAP operation uses the GraphQL API, rather than the REST API, which was used in the Bitwarden operation.

Les chiffres

À noter par ailleurs : the payload is an 11.7 MB credential stealer and propagation framework.

Plus précisément, In the @cap-js/[email protected] sample, the ordinary files match clean @cap-js/[email protected] byte-for-byte.

Dans la foulée, On April 29, a short-lived draft PR titled feat: ci speedup was opened from gruposbftechrecruiter/harkonnen-navigator-149.

À ce stade, a PR build on pull/1223 checked out commit a959014aa7b7fc37a9b5730c951776e7db2920a6, which added a Bun loader at bin/config.mjs, added an obfuscated payload at bin/mbt.js, and changed the test command to:.

Le contexte

Reste à préciser que the normal package code still looks like the legitimate SAP package.

À noter par ailleurs : that lines up with what we found in SAP/cloud-mta-build-tool.

Plus précisément, the targeted packages sit in normal SAP development workflows. @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service are part of the SAP CAP database ecosystem, while mbt is used around SAP Cloud MTA build workflows.

Dans la foulée, it checks the operating system and architecture, downloads Bun 1.3.13 from GitHub when needed, extracts the binary, and uses Bun to run execution.js.

À ce stade, it uses a custom string scrambling layer labeled ctf-scramble-v2, checks whether it is running in CI, exits on Russian locale settings, and daemonizes itself on non-CI machines.

Recherches associées

Plusieurs requêtes connexes accompagnent ce sujet : « La tech est devenue géopolitique » : SAP lance son offre souveraine en France avec S3ns • Cloud souverain : SAP va proposer sa solution de business intelligence pour ERP sur S3NS, avec Thales comme premier client • SAP entre dans l’écosystème SecNumCloud avec Thales comme client pilote • Après Bleu, SAP déploie son ERP sur le cloud S3NS • Precisely Automate obtient la certification SAP Clean Core pour SAP S/4HANA Cloud Private Edition • Cloud de confiance : SAP embarque sur S3NS.

À retenir

• A new npm supply-chain compromise is targeting the SAP developer ecosystem.
• The mechanisms are substantially similar, using the same naming scheme (word1-word2-number) and the same repo description “"Checkmarx Configuration Storage" The biggest change is that the SAP operation uses the GraphQL API, rather than the REST API, which was used in the Bitwarden operation.
• The normal package code still looks like the legitimate SAP package.
• Recherches qui explosent : « La tech est devenue géopolitique » : SAP lance son offre souveraine en France avec S3ns, Cloud souverain : SAP va proposer sa solution de business intelligence pour ERP sur S3NS, avec Thales comme premier client, SAP entre dans l’écosystème SecNumCloud avec Thales comme client pilote, Après Bleu, SAP déploie son ERP sur le cloud S3NS.