SAP hit by supply‑chain attack

SAP’s problem this week was not a classic ERP outage. It was a software supply-chain hit aimed at the tools developers use to build on top of SAP. That matters because SAP is in the middle of selling customers on a big cloud-and-transformation story — move core finance and operations into SAP’s stack, then extend it with custom apps and integrations. On April 29, four malicious package versions landed in that extension layer, right as investors were still digesting SAP’s April 23 first-quarter results. (community.sap.com) ### What actually got compromised? The affected pieces were npm packages in SAP’s JavaScript ecosystem — `mbt`, `@cap-js/db-service`, `@cap-js/sqlite`, and `@cap-js/postgres`. Those are not fringe toys. `mbt` is the Cloud MTA Build Tool used to package apps for deployment, and the `@cap-js` packages sit inside SAP’s Cloud Application Programming Model, or CAP, which developers use to build business applications on SAP Business Technology Platform. (snyk.io) ### Why is that a big deal? Because the attack sat in the install path. If a developer or CI runner pulled one of the poisoned versions, the malicious code could execute during dependency installation. SAP’s own community warning said the packages appeared to exfiltrate credentials and also tried to propagate into downstream packages and nearby repositories. That is the nasty version of a package com(snyk.io)ys through the build chain. (community.sap.com) ### What did the malware try to steal? Security researchers say the payload focused on developer credentials, authentication tokens, cloud secrets, and CI/CD material. Several writeups tie the campaign to the “Mini Shai-Hulud” cluster and describe a Bun-based stealer that tried to harvest useful access from machines bui(community.sap.com)nd-user SAP screens. (securityweek.com) ### What is SAP telling customers to do? Move fast. SAP’s call to action tells CAP developers to check whether they consumed the malicious versions and to apply the mitigation and solution steps SAP published. The company framed this as malicious open-source package versions in the public npm ecosystem, which is an important distinction — this was not a newly disclosed flaw in the core(securityweek.com)nly helps so much, because the risk still lands inside real enterprise workflows. (community.sap.com) ### How does this collide with the earnings story? Awkwardly. SAP’s Q1 2026 numbers were strong on the cloud metrics that matter most: current cloud backlog hit €21.932 billion, cloud revenue rose 19%, and Cloud ERP Suite revenue rose 23%. But the quarter also included a full $480 million, or €408 million, settlement pa(community.sap.com)d up. (news.sap.com) ### Why should finance leaders care? Because modern ERP programs do not stop at the core ledger. They sprawl into extensions, connectors, custom workflows, and developer tooling. If the build tool or framework package gets poisoned, the control environment around finance transformation gets shakier even when the ERP core is fine. Basically, the more SAP succeeds in becoming the platform where customers build(news.sap.com)f the trust story. (help.sap.com) ### Is this a business crisis or a contained scare? Right now it looks more like a serious trust test than a proven business collapse. SAP’s cloud engine is still growing fast, and nothing public so far suggests the core applications themselves were breached. But supply-chain attacks hit a sensitive nerve because they weaponize normal maintenance behavior — developers installing updates, pipeline(help.sap.com)is incident lands harder than a routine bug. (news.sap.com) The bottom line is simple: SAP’s growth story is intact, but this attack exposed the softer underbelly of that story. When a company sells the platform for running the business, customers expect the code around that platform to be boringly trustworthy too. (news.sap.com)