On April 29, 2026, four malicious open-source package versions were distributed into the NPM ecosystem. These malicious versions appear to exfiltrate information, such as credentials, and attempt to propagate into downstream software packages as well as adjacent software repositories when installed on a system.
If you are uncertain whether your systems have been affected, it is crucial to act promptly. Begin by following the mitigation steps outlined to maintain your environment’s security. Promptly taking these actions will help protect your systems and data from potential risks.
Other Terms
- MBT
- NPM
- CAP
- SAP Cloud Application Programming Model
- MTA Build Tool
List of compromised NPM package versions:
- · @cap-js/sqlite – v2.2.2
- · @cap-js/postgres – v2.2.2
- · @cap-js/db-service – v2.10.1
- · mbt@1.2.48
Solution
If you have identified that you may be affected, perform the following measures via provided SAP Note below:
https://me.sap.com/notes/0003747787
SAP Support Ticket Component : BC-XS-CDX-NJS
Potential references:
