A developer or automated build system that installed any of the four compromised SAP packages may have handed an attacker the keys to your cloud infrastructure — credentials sufficient to read, exfiltrate, encrypt, or destroy data in AWS, Azure, or Google Cloud environments. Beyond data loss, attackers holding cloud and Kubernetes credentials can provision unauthorized resources at your expense, implant persistent backdoors, or pivot to customer-facing systems. If your SAP CAP development pipeline connects to production environments or shared credential stores, the exposure is not limited to development systems.
You Are Affected If
Your development or CI/CD environment has installed @cap-js/sqlite v2.2.2, @cap-js/postgres v2.2.2, @cap-js/db-service v2.10.1, or mbt v1.2.48
Your CI/CD pipelines (CircleCI, GitHub Actions) store cloud provider credentials, SSH keys, or npm publish tokens as environment variables or secrets accessible during build steps
Your build agents run as identities with access to AWS, Azure, or GCP credential files or Kubernetes in-cluster service account tokens
Your npm publish tokens are scoped broadly enough to allow publishing to SAP CAP-related packages or other packages in your organization's namespace
You have not yet audited package-lock.json or yarn.lock files across all repositories for the affected version strings
Board Talking Points
Attackers compromised four official SAP developer tools used in our cloud application builds, giving them potential access to credentials that control our cloud infrastructure.
Security and engineering teams should audit all build pipelines for the affected package versions and rotate all associated cloud credentials within 24 hours.
Without immediate action, attackers holding stolen credentials could access, exfiltrate, or destroy data in our cloud environments and potentially expand access to customer-facing systems.
SOC 2 — CI/CD pipeline credential compromise may constitute a security incident requiring disclosure under trust service criteria for logical access controls
GDPR / regional data protection — if cloud environments accessed via stolen credentials store personal data of EU residents, a breach investigation and potential supervisory authority notification may be required
PCI-DSS — if compromised cloud environments or Kubernetes clusters are in-scope for cardholder data environment, unauthorized credential access triggers incident response and potential assessor notification obligations
