What happened

On April 29, 2026 between 09:55–12:14 UTC, a wave of malicious SAP-namespaced npm packages was published carrying credential-stealing preinstall scripts. This was the precursor campaign that evolved into the TanStack attack two weeks later.

Indicators

• Suspicious version bumps on SAP packages during the 2-hour window.
• preinstall script in package.json invoking an inline obfuscated payload.
• Outbound POST to a TeamPCP collector domain.