572K Weekly Downloads, One Preinstall Script: The SAP CAP Supply Chain Attack Your AI Agent Would…

1 / 2

572K Weekly Downloads, One Preinstall Script: The SAP CAP Supply Chain Attack Your AI Agent Would Have Missed

DEV Community·Toni Antunovic·about 1 month ago

#CKQviyE8

#security #npm #supplychain #preinstall #package #script

Reading 0:00

15s threshold

Today Socket Research Team published a report that needs to be in your queue: four SAP CAP npm packages were compromised with malicious preinstall scripts. Combined, those packages account for 572,000 weekly downloads. The script downloaded and executed a Bun binary from GitHub Releases. On Windows, it used PowerShell with -ExecutionPolicy Bypass . Affected packages: mbt@1.2.48 — 52,000 weekly downloads @cap-js/db-service@2.10.1 — 260,000 weekly downloads @cap-js/postgres@2.2.2 — 10,000 weekly downloads @cap-js/sqlite@2.2.2 — 250,000 weekly downloads The @cap-js namespace is the official SAP Cloud Application Programming Model runtime — these are the core database and service layers for SAP BTP cloud native apps. What the preinstall hook actually did npm's preinstall lifecycle script runs before your code does anything. Before lockfile validation. Before any scanner.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

572K Weekly Downloads, One Preinstall Script: The SAP CAP Supply Chain Attack Your AI Agent Would Have Missed