SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz, the campaign – calli...

com.sap.cds:cds-feature-identity (>=2.0.1 <=2.4.0), com.sap.cds:cds-starter-cloudfoundry (>=2.2.0 <=2.4.0) +7 more potentially affected by CVE-2023-50422 +1 more via com.sap.cloud.security:java-security (>=3.0.0 <=3.2.1)

com.sap.cloud.security:java-security MAVEN version =3.0.0, =2.0.1, =2.2.0, =2.2.0, =1.0.4, =1.0.4, =1.0.4, =3.0.0, =3.0.0, =3.0.0, =3.2.1 Source cves: CVE-2023-50422, CVE-2023-50424 Source advisory: OSV:GHSA-59C9-PXQ8-9C73...

@sap/ui5-builder-webide-extension (=1.0.1), @sersap/ui5-build-tasks (>=0.0.8 <=0.0.13) +7 more potentially affected by CVE-2019-10778 via devcert-sanscache (=0.4.6)

devcert-sanscache NPM version =0.4.6 is affected by a known vulnerability. The following packages have a transitive dependency on devcert-sanscache and may be impacted: - @sap/ui5-builder-webide-extension =1.0.1 - @sersap/ui5-build-tasks =0.0.8, =1.0.0, =1.1.0, =1.0.0, =1.0.0, =2.0.0, =1.0.0,...