TeamPCP 'Mini Shai-Hulud' Supply Chain Attack Hits SAP npm Packages

The TeamPCP threat group has compromised multiple npm packages used in SAP’s cloud application development ecosystem—including the Lightning and Intercom packages—in a campaign dubbed “Mini Shai-Hulud.” The two compromised packages together have nearly 10 million combined monthly downloads.

SecurityWeek reports 1,800 systems were directly hit in this attack wave. SAP developers should audit their npm dependency trees, check installed versions of Lightning and Intercom for unauthorized modifications, and update to clean, verified releases immediately.

This follows a pattern of supply chain campaigns broadening to enterprise developer tooling. TeamPCP’s targeting of SAP ecosystem packages suggests deliberate focus on high-value corporate environments where these packages are commonly deployed.