Supply Chain · Google · GitHub · The Register
The never-ending supply chain attacks worm into SAP npm packages, other dev systems
Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.
◌ Single Source
The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.
Key facts
- On April 29, TeamPCP compromised four official npm packages from the SAP JavaScript and cloud application development ecosystem and published the poisoned releases between 09:55 and 12:14 UTC
- The newly compromised packages as of Thursday include (according to Google-owned Wiz) and (says supply-chain security firm Socket) and and 2.6.3
- Collectively, these four packages receive about 572,000 weekly downloads and are widely used by developers building cloud applications
- Here's what has happened in the world of supply-chain attacks over the past 48 hours
Summary
The newly compromised packages as of Thursday include (according to Google-owned Wiz) and (says supply-chain security firm Socket) and and 2.6.3. Attackers infected all versions with the same credential-stealing malware that, on Wednesday, poisoned multiple npm packages associated with SAP's JavaScript and cloud application development ecosystem. So far, these SAP-related npm packages include:. Collectively, these four packages receive about 572,000 weekly downloads and are widely used by developers building cloud applications.