TeamPCP compromised multiple npm packages within SAP's cloud application development ecosystem. The attack, dubbed "Mini Shai-Hulud," represents an expansion of the threat group's supply chain targeting strategy.
Defenders relying on SAP cloud packages should audit their dependencies immediately. The compromised packages sit in the npm registry, where developers automatically pull updates. TeamPCP injected malicious code into legitimate packages, allowing the group to reach downstream organizations without direct vulnerability exploitation.
The npm supply chain remains a persistent vector for TeamPCP. Previous campaigns from this group targeted development infrastructure and build pipelines. This attack follows the same pattern. compromised packages execute during installation or build phases, granting attackers code execution before security tools detect the threat.
Organizations should implement the following controls: pin package versions to known-good releases, scan npm dependencies with supply chain security tools, enforce code review on all dependency updates, and isolate development environments from production networks. Monitor npm audit logs for suspicious package downloads or version changes within your SAP cloud projects.
SAP customers should cross-reference affected package names against their dependency trees. The attack prioritizes broad reach over sophistication, making rapid identification and remediation feasible for teams with visibility into their supply chain.