← All briefs
critical May 4, 2026

TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages

Source report →

Socket Research identified a coordinated supply chain attack affecting four npm packages in the SAP CAP ecosystem, mbt, @cap-js/db-service, @cap-js/postgres, and @cap-js/sqlite, with a combined weekly download count exceeding 570,000. The affected versions were published on April 29, 2026.

The campaign is attributed with medium confidence to TeamPCP, a threat actor linked to prior supply chain attacks against Aqua Security Trivy, Checkmarx, Bitwarden CLI, and Telnyx. Compromised packages steal credentials from developer machines and CI/CD pipelines and exfiltrate them to attacker-controlled GitHub repositories. Teams using SAP CAP, SAP BTP, or MTA-based workflows should audit dependency trees and lockfiles for the affected versions and rotate credentials present in affected environments.

IOCs (10)

Scan your environment for IOCs →
SHA256 FILE HASH 8
4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34
eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb
80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac
6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95
1d9e4ece8e13c8eaf94cb858470d1bd8f81bb58f62583552303774fa1579edee
258257560fe2f1c2cc3924eae40718c829085b52ae3436b4e46d2565f6996271
a1da198bb4e883d077a0e13351bf2c3acdea10497152292e873d79d4f7420211
86282ebcd3bebf50f087f2c6b00c62caa667cdcb53558033d85acd39e3d88b41
FILE NAME 1
tmp.987654321.lock
DOMAIN 1
audit.checkmarx.cx

Detections (10)

Enable detections →

Connect your environment for suggestions and queries personalized to your security telemetry.

  • npm Node Lifecycle Hook Spawning Download Utility to Fetch Bun Runtime
  • npm Lifecycle Script Executing Malicious Payload via Bun Runtime
  • Node or Bun Process Accessing Cloud Instance Metadata API
  • IDE or AI Coding Assistant Persistence Backdoor Execution
  • GitHub Repository Created with TeamPCP Three-Segment Naming Pattern
  • Detect tampered release artifacts, force-pushed tags, or unauthorized package publications in CI/CD
  • Detect encoded PowerShell, download cradles, and AMSI bypasses
  • Detect data exfiltration to code repositories via automated commits or release uploads
  • Monitor for JavaScript execution outside of browsers, particularly via wscript or cscript
  • Detect malware resolving C2 addresses from public web services (pastebins, calendars, DNS TXT)