Supply chain compromise of legitimate SAP packages published by threat actor "cloudmtabot@gmail.com" impersonating SAP toolchain maintainers. All four compromised packages share the same fingerprint: setup.mjs (4.4 KB) and execution.js (11.1 MB) bundled in the tarball, with a preinstall hook of "node setup.mjs". Notably, setup.mjs is explicitly excluded from the package.json 'files' allowlist yet is still shipped in the tarball — a manifest evasion technique intended to hide the malicious file from allowlist inspection while still executing it on install. execution.js (11.1 MB) is anomalously large for these packages and is consistent with an embedded payload or exfiltration binary. Packages were published 2026-04-29T09:55Z.
@cap-js/postgres is the PostgreSQL database adapter for SAP's Cloud Application Programming (CAP) model. Its presence in CI/CD pipelines gives the payload access to database credentials and build environment secrets.
-= Per source details. Do not edit below this line.=-
The package @cap-js/postgres was found to contain malicious code.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
2.2.2Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:HI:HA:H10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H