Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware (Campaign)

Malicious versions of SAP ecosystem npm packages (e.g., @cap-js/sqlite, @cap-js/postgres) included a preinstall script that runs setup.mjs to download the Bun runtime and execute an obfuscated payload. The second-stage payload is a credential stealer and propagation framework that targets developer environments and CI/CD pipelines, collects GitHub, npm, cloud and Kubernetes credentials (including extracting secrets from runner memory), exfiltrates encrypted payloads via public GitHub repositories, propagates to additional repositories/packages, and contains a locale-based kill-switch to avoid Russian-speaking systems.