

























Socket is investigating a suspected supply chain attack affecting multiple npm packages associated with SAP’s JavaScript and cloud application development ecosystem.
At the time of publication, Socket has identified the following affected package versions:
Socket’s analysis indicates that the affected versions introduced new installation-time behavior that was not previously part of these packages’ expected functionality. The compromised releases added a preinstall script that acts as a runtime bootstrapper, downloading a platform-specific Bun ZIP from GitHub Releases, extracting it, and immediately executing the extracted Bun binary.
These packages did not previously require a Bun installer to function, and the sudden addition of a binary-downloading preinstall script created a high-impact execution path during package installation. The implementation also follows HTTP redirects without validating the destination and uses PowerShell with -ExecutionPolicy Bypass on Windows, increasing the risk for affected developer and CI/CD environments.
The affected packages are notable because they are connected to SAP’s Cloud Application Programming Model, or CAP, and SAP cloud deployment workflows. The mbt package is the npm-distributed Cloud MTA Build Tool, which is used to build deployment-ready Multi-Target Application archives for SAP cloud applications. The @cap-js/* packages are database service packages for CAP applications, including SQLite and PostgreSQL integrations.
Importantly, @cap-js/sqlite is not the generic SQLite library. It is SAP CAP’s SQLite database service package. CAP commonly uses SQLite for local development and testing, including in-memory database workflows.
Based on current npm download estimates available to Socket, the affected packages have meaningful reach across the SAP developer ecosystem, with approximate weekly downloads of:
mbt: 52,000@cap-js/postgres: 10,000@cap-js/db-service: 260,000@cap-js/sqlite: 250,000Socket recommends that developers and security teams immediately review dependency trees and lockfiles for the affected versions. Teams using SAP CAP, SAP Business Technology Platform workflows, or MTA-based deployment pipelines should verify whether these packages were installed during the suspected exposure window.
Until more technical details are confirmed, teams should avoid installing the affected versions, rotate any credentials or tokens that may have been exposed in build or developer environments, and review CI/CD logs for unexpected network activity or binary execution.
Early timeline information suggests the suspicious versions were published within a short window on April 29, 2026:
mbt@1.2.48: published around 09:55 UTC@cap-js/sqlite@2.2.2: published around 11:25 UTC@cap-js/postgres@2.2.2: published around 12:14 UTC@cap-js/db-service@2.10.1: published around 12:14 UTCOne affected version, @cap-js/sqlite@2.2.2, appears to have already been unpublished, based on early review. Because npm download counts can lag or be aggregated, current package download numbers may not be exact.
This is a developing story. Socket’s threat research team is continuing to analyze the affected packages and will publish technical details as more information becomes available.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。