Security Research Highlights Major Supply Chain Attack on SAP Developer Ecosystem

In a significant development within the realm of cybersecurity, security researchers have uncovered a serious supply chain attack aimed explicitly at the SAP developer ecosystem. This alarming breach is attributed to a malicious threat group known as TeamPCP, which has successfully compromised a series of legitimate SAP npm packages. The initiative is part of an overarching campaign dubbed "Mini Shai Hulud," raising the stakes and spotlighting vulnerabilities within this crucial software infrastructure.

Methodology of the Attack

The attackers’ operation hinges on the strategic injection of malevolent pre-install scripts, which activate silently during the installation of dependencies. By employing a complex multi-stage payload strategy, TeamPCP aggressively extracts an array of sensitive information from both developer environments and CI/CD (Continuous Integration/Continuous Deployment) systems. Their sophisticated tactics aim to secretly acquire developer credentials alongside secrets that are essential for cloud-based services and repositories.

Among the targeted packages that have been modified are widely-utilized libraries such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt. The attackers have ingeniously adjusted these libraries to introduce a pre-install script that automatically calls a dropper file named setup.mjs whenever developers execute standard npm install commands. This dropper file circumvents typical execution patterns by downloading the Bun JavaScript runtime which then triggers a highly obfuscated payload, referred to as execution.js, even before the installation of the packages fully concludes.

Once activated, the malware takes the form of an all-encompassing credential scrambler focused on the extraction of GitHub tokens, npm credentials, Kubernetes access tokens, along with secrets from major cloud platforms like AWS, Azure, and Google Cloud Platform. In a striking twist, the malicious software incorporates advanced memory-extraction techniques to target secrets directly from runtime environments. What adds to its cunning is the software’s preliminary check for any Russian language settings; if the system configuration aligns with Russian identifiers, the malware terminates automatically, thereby evading detection from Russian-speaking developers.

Data Exfiltration Strategy

Data siphoned from compromised systems is encrypted using an RSA public key before being exfiltrated to public GitHub repositories controlled by the attackers, leveraging the GraphQL API for this covert operation. This method not only illustrates the escalating sophistication of cyber-attacks but also marks a concerning evolution of tactics as threat actors refine their strategies to enhance data concealment while magnifying their reach into developer tools.

Advances in Browser Targeting

This campaign marks a notable leap in tactical evolution for TeamPCP. For the very first time, their malware exhibits the capability to extract passwords directly from prevalent web browsers, including but not limited to Chrome, Safari, Edge, and Brave. In cases where the initial credential collection fails to yield personal access tokens, the malware activates a fallback routine designed to poison local GitHub repositories. Hidden configuration files are then generated, specifically tailored for contemporary development tools.

For developers utilizing Claude Code, the malware establishes specific hook configurations that ensure the dropper executes in every new session. Conversely, for Visual Studio Code users, a customized task configuration initiates the malware whenever any project folder is accessed, thereby intensifying the potential for compromise.

Recommendations for Organizations

Given the grave implications of this attack vector, security teams are strongly urged to proactively search through artifact stores, analyze lockfiles, and scrutinize CI logs for any signs of the affected package versions and associated malicious files. Organizations are encouraged to rotate all potentially compromised GitHub tokens, cloud credentials, and CI/CD secrets. Furthermore, they should maintain ongoing vigilance by closely monitoring GitHub activities for any unauthorized commits or signs of anomalous repository behavior.

Indicators of Compromise

To aid in identifying compromised files, security experts have outlined critical indicators of compromise (IOCs) linked to the attack (see the table below for details):

As organizations navigate this troubling landscape, continuous education on security measures and preparedness will be vital in safeguarding sensitive information amid increasing cyber threats.

Source link