Supply chain , Data Security , Identity Supply chain attack against SAP npm packages facilitates credential theft May 1, 2026 Share By SC Staff (Adobe Stock) Threat actors have compromised four SAP npm packages with credential-stealing malware as part of the new mini Shai-Hulud supply chain intrusion campaign, The Hacker News reports. Affected were the SAP JavaScript and cloud application development ecosystem-related packages [email protected] , @cap-js/db-service v2.10.1, @cap-js/postgres v2.2.2, and @cap-js/sqlite v2.2.2, all of which have already been deprecated from the npm repository, according to separate analyses from Aikido Security, SafeDep, Socket, StepSecurity, and Wiz. Inclusion of a pre-install script within the npm packages, which were published on Apr. 29, allowed the eventual execution of the credential stealer, which was noted by Aikido researchers to exfiltrate developer credentials, GitHub and npm tokens, and GitHub Actions secrets, as well as AWS, Azure, Google Cloud Platform, and Kubernetes cloud secrets. TeamPCP was suspected by Wiz researchers of having perpetrated the campaign, given the similarities with previous supply chain breaches. However, StepSecurity researchers observed the campaign to not only exist within Russian-locale systems and enable data exfiltration via AES-256-CGM but also involve a payload that self-commits to every accessible GitHub repository, marking a significant departure from earlier Shai-Hulud waves. "This is one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector," said StepSecurity. SC Staff Related Security Operations FCC approves new rules to combat robocalls and bolster cybersecurity SC Staff May 1, 2026 The commission unanimously passed measures to strengthen the "Know Your Customer" requirements for telecommunications companies, mandating more thorough identity verification for service enablement. Supply chain Arbitrary code pushed by long concealed backdoor in widely used WordPress redirect add-on SC Staff May 1, 2026 Popular WordPress plugin Quick Page/Post Redirect, which allows the creation of redirects in posts, pages, and custom URLs, was injected with a stealthy backdoor half a decade ago that enabled arbitrary code injection into websites, BleepingComputer reports. Supply chain Illicit AI-assisted commit-linked npm dependency compromises crypto wallets SC Staff May 1, 2026 Illicit AI-assisted commit-linked npm dependency compromises crypto wallets North Korean state-backed threat group Famous Chollima, also known as APT37 and Reaper, has published the malicious @validate-sdk/v2 npm package purporting to be a validation tool, which is associated with a code commit co-authored by Anthropic's Claude Opus model, to breach cryptocurrency wallets as part of the PromptMink campaign that has been underway for the past seven months, according to Infosecurity Magazine. Related Events Cybercast From code to cloud: Stopping attacks in the software supply chain On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Basic Authentication Bit Byte Checksum Ciphertext Cyclic Redundancy Check (CRC) Data Loss Prevention (DLP) Decryption Digital Signature Digital Signature Algorithm (DSA) You can skip this ad in 5 seconds