New supply chain attacks have infiltrated widely used developer packages from SAP, Intercom, and the Lightning PyPI project, installing sophisticated malware designed to steal sensitive credentials and propagate further infections across developer environments and CI/CD pipelines.
- SAP, Intercom, and Lightning packages compromised with credential-stealing malware
- Malware targets developer secrets across npm and PyPI ecosystems
- TeamPCP group behind multi-stage, self-propagating attack campaign
What happened
Between April 29 and 30, 2026, attackers compromised multiple versions of critical developer packages, including SAP’s JavaScript-related npm modules, the intercom-client npm package, and the Lightning package on PyPI. These packages, collectively downloaded hundreds of thousands of times weekly, were manipulated to execute malicious preinstall scripts that run automatically during installation.
The attackers deployed a multi-stage payload designed to steal a wide range of developer credentials such as GitHub tokens, cloud service secrets (AWS, Azure, GCP), Kubernetes tokens, and CI/CD pipeline secrets. The stolen data is encrypted and exfiltrated via newly created public GitHub repositories under victims’ own accounts, while the malware also propagates itself to additional package distributions and repositories.
Why it matters
These supply chain attacks threaten the integrity of development environments and cloud application infrastructure by compromising essential tools and widely adopted packages. Since these npm and PyPI dependencies are fundamental parts of developer workflows, the malware gains access to highly sensitive credentials that can enable further intrusions into organizations’ cloud and source control environments.
The attackers’ use of sophisticated propagation and encryption techniques makes detecting and mitigating these infections more difficult. The involvement of TeamPCP, a cybercrime group linked to several previous high-profile supply chain attacks, underscores the ongoing risks posed by persistent malicious actors exploiting open source package ecosystems.
What to watch next
Security teams and developers should prioritize auditing their usage of the affected SAP, intercom-client, and Lightning packages, ensuring deployment of clean versions and revoking potentially exposed credentials. Monitoring for suspicious public GitHub repositories created within their accounts could also reveal signs of exfiltration attempts.
The broader developer and security community will be closely observing further disclosures from security firms Wiz and Socket, who are tracking this campaign. Updates may include additional compromised packages or new attack techniques, emphasizing the critical need for enhanced supply chain security practices and proactive threat detection within development pipelines.