A successful infection gives the attacker valid credentials to your cloud infrastructure — AWS, Azure, and GCP — along with the ability to read any secret your build pipelines can access, including production database passwords, API keys, and internal service tokens. A credential breach of this type can result in data exfiltration, ransomware deployment, or long-term persistent access that is difficult to scope and expensive to remediate, with direct regulatory exposure if the compromised secrets govern systems handling regulated data. The SAP CAP packages targeted here serve enterprise software development teams globally; any organization building or deploying SAP CAP applications is a realistic target.
You Are Affected If
You install @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, or mbt as npm dependencies in any build, CI/CD, or development environment
You use @bitwarden/cli installed via npm rather than the official Bitwarden release channel
Your CI/CD pipelines use Checkmarx ast-github-action, ast-results, or cx-dev-assist and have not verified those versions against Wiz or Unit 42 published IOCs
Your build agents or developer environments have access to AWS, Azure Key Vault, GCP Secret Manager secrets, or Kubernetes credentials at install time
You do not enforce npm package integrity verification (e.g., lockfile enforcement, provenance attestation, or a private registry allow-list)
Board Talking Points
Attackers embedded credential-stealing code in widely used developer tools targeting our cloud infrastructure secrets and build pipeline access.
Security and engineering teams should audit all affected packages and rotate cloud credentials within 24 hours, prioritizing CI/CD environments.
Without immediate action, attackers may retain valid access to cloud environments long after the malicious packages are removed.
SOC 2 — CI/CD pipeline secret compromise directly implicates availability, confidentiality, and logical access controls required under Trust Services Criteria
ISO/IEC 27001 — supply chain attack against build tooling triggers Annex A controls on supplier relationships (A.15) and operations security (A.12)
PCI-DSS — if compromised build pipelines deploy or have access to systems in the cardholder data environment, secret exfiltration constitutes a reportable security incident under Requirement 12.10
