Compromised SAP-linked npm packages exfiltrate developer credentials

Several npm packages tied to SAP tooling were hijacked and republished with credential-stealing payloads, hitting developers who pulled updates before the malicious versions were caught. The injected code scrapes environment variables, tokens, and local secrets from build machines and ships them to attacker-controlled infrastructure, turning routine npm install runs into credential-disclosure events.

The incident fits the now-familiar pattern of trojanized maintainer accounts being used to push poisoned releases through trusted distribution channels. SAP-adjacent packages widen the blast radius into enterprise environments where stolen tokens map directly to ERP, cloud, and CI/CD access. Pinning versions, lockfile integrity checks, and isolating build environments from long-lived secrets remain the only meaningful defenses; downstream consumers that auto-upgrade are the ones bleeding credentials.

Rotation of any secret that touched a build host running the affected versions is the immediate ask, followed by an audit of outbound network activity from CI runners during the exposure window.