Malicious SAP npm packages target crypto wallet data

Four npm packages that were connected to SAP’s Cloud Application Programming Model were stolen. The hackers added code that steals crypto wallets, cloud credentials, and SSH keys from developers.

According to a report from Socket, the affected package versions include:

• mbt@1.2.48.
• @cap-js/db-service@2.10.1.
• @cap-js/postgres@2.2.2.
• @cap-js/sqlite@2.2.2.

These packages together get about 572,000 downloads a week from the SAP developer community.

npm packages steal cloud credentials and crypto wallets

Security researchers explained that the hacked packages pre-install a script that downloads and runs a Bun runtime binary from GitHub. It then runs an obfuscated 11.7MB JavaScript payload.

The original SAP source files are still there, but there are three additional new files:

• a modified package.json.
• setup.mjs.
• execution.js.

These files were timestamped hours after the real code. This shows that the tarballs were changed after being downloaded from a real source.

Socket called it “a strong signal of a coordinated, automated injection campaign” that the loader script is byte-identical in all four packages, even though they are in two different namespaces.

When the payload runs, it checks if the system is set to Russian and stops if it is. It then branches depending on whether it finds a CI/CD environment, by checking 25 platform variables, such as GitHub Actions, CircleCI, and Jenkins, or a developer workstation.

On developer computers, the malware reads more than 80 different types of credential files. These include SSH private keys, AWS and Azure credentials, Kubernetes configs, npm and Docker tokens, environment files, and crypto wallets on eleven different platforms. It also goes after configuration files for AI tools like Claude and Kiro MCP settings.

The payload has two layers of encryption. A function called `__decodeScrambled()` uses PBKDF2 with 200,000 SHA-256 iterations and a salt called “ctf-scramble-v2” to get the keys needed to decrypt something.

The function name, algorithm, salt, and iteration count are the same as those in previous Checkmarx and Bitwarden payloads. This suggests that the same tools are being used in multiple campaigns.

Socket is keeping an eye on the activity under the name “TeamPCP” and has made a separate tracking page for what it calls the “mini-shai-hulud” campaign.

Hackers target crypto developers persistently

The SAP package compromise is the most recent in a series of supply chain attacks that use package managers to steal digital asset credentials.

As Cryptopolitan reported at the time, researchers found five typosquatted npm packages in March 2026 that stole private keys from Solana and Ethereum developers and sent them to a Telegram bot.

ReversingLabs found a campaign called PromptMink a month later. In this campaign, a malicious package called @validate-sdk/v2 was added to an open-source crypto trading project through an AI-generated commit.

Cryptopolitan’s coverage of the ReversingLabs findings says that the attack, which was linked to the North Korean state-sponsored group Famous Chollima, specifically went after crypto wallet credentials and system secrets.

The SAP attack is different in size and direction. Instead of making fake packages with names that are similar to real ones, the attackers got into real, widely used packages that were kept under SAP’s namespace.

Security researchers recommend that teams that use SAP CAP or MTA-based deployment pipelines check their lockfiles right away for the affected versions.

Developers who installed these packages during the exposure window should change any credentials and tokens that may have been available in their build environments and check CI/CD logs for any unexpected network requests or binary execution.

According to researchers, at least one affected version, @cap-js/sqlite@2.2.2, seems to have already been unpublished from npm.