TeamPCP hijacks SAP npm packages in scaled-down Shai-Hulud-style worm attack

A threat actor tracking as TeamPCP compromised npm packages tied to SAP, deploying a self-propagating payload that researchers are calling a ‘Mini Shai-Hulud’ due to its similarity to the earlier worm campaign that tore through the npm ecosystem. The malware harvests developer credentials and cloud tokens from infected machines, then attempts to push trojanized versions of additional packages the victim maintains, turning each compromised maintainer into a launch pad for further infections.

The SAP-linked packages give the attack unusual reach into enterprise build pipelines, where ERP-adjacent tooling tends to run with elevated trust and broader network access than typical web dependencies. Defenders should audit recent installs of the affected packages, rotate any credentials touched by CI runners or developer workstations that pulled them, and pin to known-good versions while the registry purges the malicious releases.

The incident continues a clear pattern: npm-borne worms no longer need the original Shai-Hulud’s scale to be effective. Smaller, targeted variants riding the same propagation playbook are now a recurring fixture of the supply-chain threat landscape, and registries’ detection lag remains the attacker’s biggest advantage.