Incident Overview
On April 29, 2026, between 09:55 UTC and 12:14 UTC, attackers released compromised versions of several npm packages linked to SAP's JavaScript and cloud application development ecosystem. These packages contained preinstall scripts that executed credential-stealing malware on developer machines. The attack targeted npm OIDC tokens, developer credentials, and configuration files for AI coding agents, creating multiple persistence vectors within development environments.
Attack Timeline
April 29, 2026, 09:55 UTC: First compromised package version published to npm registry.
April 29, 2026, 09:55 UTC - 12:14 UTC: Additional malicious package versions released across multiple SAP-related packages.
April 29, 2026, post-12:14 UTC: Aikido Security identifies and reports the attack.
Current status: Investigation ongoing; affected packages identified, but full scope of credential compromise unknown.
Security Control Failures
Package Integrity Verification: Organizations lacked automated verification of package checksums or signatures before installation, allowing preinstall scripts to execute unchecked.
Dependency Pinning and Lock File Enforcement: Teams using loose version ranges automatically pulled malicious versions. Without mandatory lock file reviews in CI/CD, these updates spread unchecked.
OIDC Token Scope Limitation: npm OIDC tokens had excessive permissions, offering broad registry access instead of being scoped to specific packages and actions.
Preinstall Script Execution Policy: Development environments allowed arbitrary preinstall script execution without sandboxing or approval workflows, the default npm behavior.
AI Coding Agent Configuration Security: Organizations did not monitor AI coding agent config files as sensitive assets, allowing them to be used as persistence mechanisms without detection.
Network Egress Filtering: Developer workstations had unrestricted outbound network access, enabling malware to exfiltrate credentials without obstruction.
Compliance Standards
NIST 800-53 Rev 5 Control SA-12 (Supply Chain Protection): Requires integrity verification tools to detect unauthorized changes to software, including package managers. Verify package integrity before installation.
ISO/IEC 27001:2022 Control 8.31: Mandates security controls in development environments proportionate to data sensitivity. Developers with production credentials or OIDC tokens with production scope violate this control.
OWASP ASVS v4.0.3 Requirement 14.2.3: Requires signature verification and checksum validation for third-party components.
SOC 2 Trust Service Criteria CC6.6: Requires logical access security measures to protect against supply chain attacks.
PCI DSS v4.0.1 Requirement 6.3.2: Mandates identification and addressing of security vulnerabilities throughout the software lifecycle, including dependency management.
Actionable Steps for Your Team
Implement Package Signature Verification: Configure npm to require package signatures using npm config set verify-signatures true. Maintain an approved package list for unsigned packages and reject them in CI/CD.
Correctly Scope OIDC Tokens: Limit npm OIDC tokens to specific packages and actions. Review token permissions immediately to ensure they are not overly broad.
Disable Preinstall Scripts in CI/CD: Use --ignore-scripts in all npm install commands within CI/CD pipelines. Allow preinstall scripts only for approved packages, auditing them monthly.
Pin Dependencies with Cryptographic Hashes: Ensure package-lock.json contains integrity hashes for every dependency. Enforce this in CI/CD and use npm ci instead of npm install in automated environments.
Monitor AI Coding Agent Configurations: Treat directories like .cursor/, .aider/, and .copilot/ as sensitive assets. Add them to your file integrity monitoring systems.
Implement Egress Filtering for Development Networks: Restrict internet access on developer machines to approved package registries, git repositories, and SaaS tools. Block all other connections.
Audit Dependency Update Process: Establish a review process for dependency updates, focusing on new maintainers and major version changes. Avoid auto-merging updates without review.
Establish Package Provenance Verification: Verify new dependencies for package age, maintainer reputation, download statistics, and commit activity. Investigate sudden changes in these metrics.
Close the gap between awareness of supply chain attacks and implementing controls to prevent them. Start with OIDC token scoping and preinstall script policies for immediate impact.
