Official SAP npm Packages compromised to steal Credentials and Authentication Tokens from Developers Systems.

Security researchers report that the compromise impacted four packages, with the versions now deprecated on NPM:

• @cap-js/sqlite – v2.2.2
• @cap-js/postgres – v2.2.2
• @cap-js/db-service – v2.10.1
• mbt – v1.2.48

⁉️These packages support SAP's Cloud Application Programming Model [CAP] and Cloud MTA, which are commonly used in enterprise development.⁉️

https://socket.dev/blog/sap-cap-npm-packages-supply-chain-attack

#sap #npmpackages #secure #programming #developer #security #privacy #infosec #tech #news

Malware Targets SAP npm Packages in Supply Chain Attack

A new supply-chain attack campaign, dubbed mini Shai-Hulud, is targeting SAP-related npm packages, delivering credential-stealing malware that threatens JavaScript and cloud applications. This sneaky attack puts sensitive data at risk, and experts are warning of a potentially massive impact.

https://osintsights.com/malware-targets-sap-npm-packages-in-supply-chain-attack?utm_source=mastodon&utm_medium=social

#SupplyChainAttack #MalwareOperations #Sap #NpmPackages #CredentialstealingMalware

How-To Geek: NPM packages are infected with malware, again. “It should be noted that the issue actually seems to spill over into the Maven ecosystem. Researchers observed that the malicious payload was present in org.mvnpm:posthog-node, a Maven artifact automatically generated from npm packages. This confirms that the automated bridging of software ecosystems can inadvertently bridge security […]

https://rbfirehose.com/2025/11/26/how-to-geek-npm-packages-are-infected-with-malware-again/

Moving Beyond the NPM elliptic Package

If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.

http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/

#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages

There's a new release for bgg-client, my JavaScript library for making it easier to use the BoardGameGeek API in your apps!

I've added validation, and have done a lot of work behind the scenes to ensure data integrity, more consistent typing, and better type-safety.

https://www.npmjs.com/package/bgg-client

#webdev #javascript #typescript #NPMPackages #boardgames

Just dropped a new release of bgg-client with a breaking change:

An API key from BoardGameGeek is now required.

https://www.npmjs.com/package/bgg-client

#webdev #javascript #NPMPackages #boardgames

A colleague pointed me to this:
https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code

TLDR: Some #malware in fake #npmpackages downloaded and executes commands stored in an #Ethereum #smartcontract , effectively abusing the contract as a command-and-control server.

#npm #smartcontracts