TeamPCP — Claude Code Used to Publish Malicious SAP CAP npm Packages

AI relevance: An AI coding assistant's GitHub integration was weaponized as the attack vector to compromise an enterprise open-source release pipeline, enabling supply-chain poisoning at scale.

What Happened

On April 29, 2026, the threat actor behind the TeamPCP campaign (previously responsible for the Bitwarden CLI compromise) published malicious versions of four SAP Cloud Application Programming (CAP) framework npm packages used by thousands of enterprise applications:

• @cap-js/sqlite@2.2.2
• @cap-js/postgres@2.2.2
• @cap-js/db-service@2.10.1
• mbt@1.2.48

The campaign, self-styled “Mini Shai-Hulud,” shares the same malware architecture as the earlier Bitwarden attack but introduces a novel attack method: rather than stealing static tokens or impersonating a developer, the attacker exploited Claude Code's GitHub integration running on an infected developer's machine to commit directly to SAP's cap-js/cds-dbs repository under the identity claude@users.noreply.github.com.

The malicious commits modified the repository's release workflow to extract an npm OIDC token, which was then used to publish the infected packages to the public registry. SAP detected the compromise and superseded all four packages with clean releases by 13:45 UTC the same day.

Technical Details

• The compromised packages inject a preinstall script that acts as a runtime bootstrapper, downloading a platform-specific Bun ZIP from GitHub Releases and executing the extracted binary.
• The downloaded Bun payload is an ~11 MB obfuscated script designed to harvest local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes.
• The implementation follows HTTP redirects without validating destination URLs, enabling secondary payload downloads from attacker-controlled infrastructure.
• Forensic analysis shows the injected files were timestamped between 15:25 and 17:43 UTC on April 29, indicating the tarballs were post-processed after the Claude Code commit.
• GitGuardian identified 7 stolen GitHub tokens providing access to 971 repositories, with the attack still actively propagating at time of reporting.

Why It Matters

This is the first documented case of an AI coding assistant's authenticated repository access being weaponized to compromise an enterprise release pipeline. The attacker didn't need to phish a maintainer or steal an npm token directly; they piggybacked on Claude Code's own GitHub OAuth session to make commits that appeared legitimate. This attack pattern fundamentally changes the threat model for AI-assisted development: any coding assistant with write access to a repository becomes a potential supply-chain vector.

The fact that this is an escalation of the same TeamPCP campaign that hit Bitwarden CLI earlier signals an organized, persistent adversary specifically targeting AI-adjacent tooling and developer ecosystems.

What to Do

• Immediately audit all SAP CAP project dependencies for the compromised package versions and remove them.
• Rotate all npm tokens, GitHub tokens, and CI/CD secrets that may have been exposed during the window of compromise.
• Review Claude Code (or any AI coding assistant) OAuth and GitHub app permissions; revoke access from any potentially infected developer machines.
• Implement branch protection rules requiring human review for workflow file changes, even from trusted bot accounts.
• Monitor for the known Indicators of Compromise published by Mend, Socket, and Wiz (see sources below).

Sources

• Mend — Shai-Hulud: SAP CAP Supply Chain Attack Via Claude Code
• Socket — TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MTA
• Wiz — Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
• StepSecurity — A Mini Shai-Hulud has Appeared
• GitGuardian — A Mini Shai-Hulud Targeting the SAP Ecosystem