Red Hat npm Packages Compromised in Supply-Chain Attack Distributing Miasma Malware Security researchers at Aikido and OX Security uncovered a supply-chain attack targeting over 30 npm packages under Red Hat’s `@redhat-cloud-services` namespace, distributing a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma." The compromised packages, which collectively receive 117,000 weekly downloads, were backdoored to exfiltrate sensitive data, including developer credentials, cloud secrets, SSH keys, CI/CD tokens, and environment files. Red Hat confirmed the incident, stating that the affected packages were limited to internal development tooling and were removed from the npm registry upon discovery. The company emphasized that the malicious code never reached customer-facing systems via `console.redhat.com` and that no impact on production environments or customer data has been identified. However, the root cause of the compromise including how the attacker gained access remains under investigation. The attack leveraged a compromised GitHub account belonging to a Red Hat employee, which was used to push malicious commits to multiple repositories. These commits introduced a GitHub Actions workflow that abused npm’s publishing mechanism to release backdoored versions of the packages. When installed, the packages executed a preinstall script triggering a 4.2 MB obfuscated `index.js` payload, designed to harvest credentials from AWS, Google Cloud, Azure, HashiCorp Vault, Kubernetes, npm, PyPI, Docker, GPG keys, and `.env` files. A total of 32 packages and 96 versions were affected, all under the `@redhat-cloud-services` namespace. The malware, Miasma, appears to be a modified version of the Mini Shai-Hulud framework, whose source code was leaked in May by the TeamPCP threat group. While Miasma shares core functionality with Mini Shai-Hulud such as credential theft it introduces enhanced obfuscation, multi-stage payload delivery, and expanded data exfiltration capabilities. The campaign has also compromised 309 GitHub repositories, leaving traces of the string "Miasma: The Spreading Blight" in affected code. This incident follows a recent surge in Shai-Hulud-based supply-chain attacks, which have targeted high-profile projects like Bitwarden, SAP, Mistral, TanStack, OpenAI, and GitHub. The identity of the threat actor behind this attack remains unclear whether it is TeamPCP or another group repurposing the leaked malware.

SAP npm Packages Compromised in Suspected TeamPCP Supply-Chain Attack Security researchers have uncovered a supply-chain attack targeting multiple official SAP npm packages, believed to be orchestrated by the TeamPCP threat group. The compromise affected four packages @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48) which support SAP’s Cloud Application Programming Model (CAP) and Cloud MTA, widely used in enterprise development. The malicious packages contained a preinstall script that executed automatically upon installation, deploying a loader (setup.mjs) to fetch the Bun JavaScript runtime from GitHub. This runtime then ran an obfuscated execution.js payload, designed to steal sensitive credentials from developer systems and CI/CD environments, including: - npm and GitHub authentication tokens - SSH keys and developer credentials - Cloud credentials (AWS, Azure, Google Cloud) - Kubernetes configurations and secrets - CI/CD pipeline secrets and environment variables On CI runners, the malware used an embedded Python script to scan process memory (/proc/\<pid\>/maps and /proc/\<pid\>/mem) for secrets, bypassing log masking a tactic identical to previous TeamPCP attacks, such as those targeting Bitwarden and Checkmarx. Stolen data was encrypted and exfiltrated to public GitHub repositories under victims’ accounts, marked with the description "A Mini Shai-Hulud has Appeared" a reference mirroring the "Shai-Hulud: The Third Coming" string from earlier attacks. The malware also employed GitHub commit searches as a dead-drop mechanism, decoding commit messages containing base64-encoded tokens to escalate access. Additionally, the payload included self-propagation capabilities, using stolen credentials to modify other accessible packages and repositories, further spreading the infection. Researchers have linked the attack to TeamPCP with medium confidence, citing similarities in code and tactics to prior incidents involving Trivy, Checkmarx, and Bitwarden. While the exact compromise vector remains unclear, evidence suggests an exposed NPM token from a misconfigured CircleCI job may have been exploited. SAP has not yet responded to inquiries regarding the breach. The affected package versions have since been deprecated on npm.

Jaguar Land Rover Hit by Costly Cyberattack as Insurance Gap Leaves It Exposed Jaguar Land Rover (JLR), the UK’s largest automaker, is grappling with the fallout of a severe cyberattack that has forced three factories offline until at least October 1. The financial impact is estimated at £50 million ($68 million) per week, with over 30,000 employees idled and suppliers facing financial strain. The attack has been attributed to the hacking group Scattered Spider, which previously targeted British retailers, and may have exploited a vulnerability in SAP software, raising concerns about vendor governance and patch management. Unlike Marks & Spencer, which recently suffered a breach by the same group but is expected to recover over £100 million through its cyber insurance program, JLR lacks coverage. The company had been negotiating a policy through broker Lockton but failed to finalize the deal before the attack. Without insurance to offset business interruption losses, JLR is bearing the full cost of the shutdown, highlighting the risks of gaps in cyber coverage particularly for manufacturers reliant on just-in-time production and complex supply chains. The incident has sent ripples through the cyber insurance market, serving as a stress test for underwriters ahead of the autumn renewal season. It underscores the existential vulnerabilities of operating without coverage in an era of increasingly sophisticated attacks on operational technology. The shutdown has also drawn government attention, with UK industry minister Chris McDonald pledging support to stabilize JLR and its supply chain. Meanwhile, the Unite trade union has warned of potential job losses across the 104,000 roles tied to JLR’s production, and S&P Global has noted the broader economic impact in its latest UK manufacturing survey. JLR is preparing a phased restart plan, but the attack has already become a cautionary case study for enterprises on the consequences of incomplete cyber insurance placement.

A critical SAP S/4HANA code injection vulnerability (CVE-2025-42957, CVSS 9.9) is being actively exploited in the wild, allowing low-privileged attackers to inject arbitrary ABAP code, bypass authorization, and achieve full system takeover. Despite SAP releasing a patch on August 11, 2025, unpatched systems remain exposed due to the ease of reverse-engineering the fix. Exploitation enables data theft, manipulation, privilege escalation (via backdoor accounts), credential theft, and operational disruption—including potential ransomware deployment or malware-based outages. SecurityBridge, which discovered and reported the flaw, confirmed real-world abuse, warning that skilled threat actors can weaponize it trivially. The vulnerability affects multiple SAP products, including S/4HANA (Private Cloud/On-Premise), NetWeaver ABAP, and Business One, risking enterprise-wide compromise. Administrators are urged to apply patches immediately, but delayed updates leave critical infrastructure vulnerable to full system hijacking, financial fraud, or supply-chain attacks via compromised SAP servers. The flaw’s severity stems from its ability to disrupt core business operations, expose sensitive data, and enable follow-on attacks like ransomware or lateral movement into connected networks.

SAP addressed a critical insecure deserialization vulnerability (CVE-2025-42944, CVSS 10.0) in its SAP NetWeaver platform, allowing unauthenticated attackers to execute arbitrary OS commands via malicious payloads submitted through the RMI-P4 module on an open port. Successful exploitation could fully compromise the confidentiality, integrity, and availability of the affected system, enabling attackers to take control of servers, steal sensitive data, or disrupt operations. While no in-the-wild attacks were reported, the flaw posed a severe risk to enterprises relying on NetWeaver for core business processes. Additionally, SAP patched a Directory Traversal vulnerability (CVE-2025-42937, CVSS 9.8) in SAP Print Service (SAPSprint), permitting unauthenticated attackers to overwrite system files via path traversal, and an Unrestricted File Upload flaw (CVE-2025-42910, CVSS 9.0) in SAP Supplier Relationship Management, allowing authenticated attackers to upload and execute malicious files. These vulnerabilities collectively exposed organizations to data breaches, system takeovers, and operational disruptions, particularly in supply chain and enterprise resource planning (ERP) environments.

German software giant SAP's widely-used SAP NetWeaver was exploited due to a critical vulnerability in its Visual Composer development server. The vulnerability enabled an unauthenticated attacker to upload potentially harmful executable binaries. This compromise could significantly affect the confidentiality, integrity, and availability of the targeted system. The vulnerability was detected in April 2025 and assigned the highest severity score by SAP, 10.0 (CVSS v3.1). Although SAP quickly released an emergency fix, affected systems running the latest SAP service pack were already exploited, signifying a zero-day attack.

Former CTO Jürgen Müller left SAP due to an 'incident' of inappropriate behavior at a company event, leading to an investigation into allegations of sexual harassment. Müller's departure was mutually agreed upon, and he received a compensation payout of €7.1 million ($7.5 million). The incident resulted in financial loss due to severance payments and could potentially damage SAP's reputation due to the nature of the misconduct and the public scrutiny of executive compensations.

In late April, SAP fixed a severe bug in NetWeaver Visual Composer Metadata Uploader, affecting over 1,200 instances. Multiple ransomware operators, including BianLian and RansomEXX, exploited this flaw. The bug allowed unauthenticated actors to upload malicious executables. SAP also patched a separate critical zero-day vulnerability in NetWeaver server, tracked as CVE-2025-42999, with a severity score of 9.1/10. Both vulnerabilities were abused in attacks since January 2025.

SAP Releases Critical Security Patches for Multiple Vulnerabilities SAP has issued a security update addressing multiple vulnerabilities across its core platforms, including SAP NetWeaver, S/4HANA, Business One, Business Warehouse, and industry-specific applications. The patches resolve critical flaws that could enable remote code execution (RCE), denial-of-service (DoS), and unauthorized access if left unaddressed. ### Critical Vulnerabilities Highlighted 1. CVE-2019-17571 (CVSS 9.8) – A code injection flaw in SAP Quotation Management Insurance (FS-QUO), stemming from an Apache Log4j 1.2 deserialization issue. Unauthenticated attackers can exploit this to execute arbitrary code, compromising system confidentiality, integrity, and availability. 2. CVE-2026-27685 (CVSS 9.1) – An insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration, allowing highly privileged attackers to achieve RCE with cross-scope impact. 3. CVE-2026-27689 (CVSS 7.7) – A DoS vulnerability in SAP Supply Chain Management, enabling authenticated users to disrupt system availability. ### Additional Flaws Addressed - Server-Side Request Forgery (SSRF) in SAP NetWeaver AS ABAP - Missing authorization checks in NetWeaver AS ABAP, SAP BW, S/4HANA HCM (Portugal), ERP HCM (Portugal), and SAP Solution Tools Plug-In (ST-PI) - SQL injection in SAP NetWeaver Feedback Notification (CVE-2026-27684) - DOM-based XSS in SAP Business One Job Service (CVE-2026-0489) - Insecure storage protection in SAP Customer Checkout 2.0 - DLL hijacking in SAP GUI for Windows with GuiXT - DoS risk due to outdated OpenSSL in SAP NetWeaver AS Java (Adobe Document Services) ### Impact & Recommended Actions SAP advises customers to prioritize patching the FS-QUO and NetWeaver Enterprise Portal flaws, as they pose the highest risk of full system compromise. Security teams should then address remaining high and medium-severity issues, particularly in internet-facing and business-critical systems, to prevent potential lateral movement attacks via chained exploits. All fixes and implementation guidance are available via the SAP Support Portal.

SAP's NetWeaver Application Server Java was found vulnerable to a critical directory traversal flaw identified as CVE-2017-12637. This vulnerability allows remote attackers to read arbitrary files, potentially leading to a compromise of sensitive information and system integrity. The flaw, given a CVSS score of 7.5, indicates a high severity risk. Being actively exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to mitigate this risk urgently by April 9, 2025. Failure to patch or apply CISA's advisories could lead to serious data breaches, affecting customer and organizational data and disrupting significant operational capacities.