SAP Security Note 3747787 addresses the Mini Shai-Hulud malware campaign targeting SAP-related npm packages used in SAP cloud development. The incident involved malicious versions of packages associated with SAP CAP and MTA development tooling, including mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service. The compromised packages used a malicious preinstall script that executed during npm installation, downloaded the Bun runtime, and launched an obfuscated credential-stealing payload.
The malware was designed to steal developer, GitHub, npm, cloud, CI/CD, and service account credentials from developer workstations and build environments. It also attempted to propagate by using stolen tokens to publish itself to other npm packages and created GitHub repositories in victim accounts as part of the exfiltration process. The payload also added persistence mechanisms through IDE and AI coding tool configuration files, including VS Code and Claude Code hooks, which could re-trigger execution when a compromised repository was opened.
SAP Security Note 3747787 should be treated as an urgent supply-chain security advisory for organizations using SAP CAP, SAP BTP development pipelines, MTA build tooling, or npm-based SAP development workflows. The key risk is not limited to the affected packages themselves; any system that installed the malicious versions may have exposed credentials, source code access, deployment permissions, and CI/CD secrets. Removing or downgrading the package alone may not be sufficient if persistence files or stolen credentials remain in use.
Recommended actions include identifying whether the affected package versions were installed in developer machines, CI/CD runners, build agents, containers, artifact repositories, or lockfiles; removing or replacing compromised versions with clean releases; searching for indicators of compromise such as suspicious GitHub repositories, unexpected commits, modified workflow files, and IDE configuration changes; and rotating all credentials that may have been exposed. Affected systems should be treated as potentially compromised, especially where privileged npm, GitHub, cloud, or deployment credentials were present.
In summary, SAP Security Note 3747787 responds to a targeted npm supply-chain attack against the SAP development ecosystem. The note is important because the attack affected trusted development packages, executed automatically during installation, targeted high-value developer and CI/CD credentials, and created a risk of further propagation across repositories and package ecosystems.
SAP Security Note 3724838 patches a Hot News SQL injection vulnerability in SAP S/4HANA, specifically SAP Enterprise Search for ABAP. The vulnerability is tracked as CVE-2026-34260 and affects SAP_BASIS releases 7.51 through 7.58 and SAP_BASIS 8.16.
The vulnerability occurs because user-controlled input in an affected parameter is passed to the underlying database without proper validation or sanitization. As a result, an authenticated attacker could inject malicious SQL statements into database queries generated by the application. Successful exploitation may allow unauthorized access to sensitive database information and could potentially cause the application to crash.
The vulnerability has a high impact on confidentiality and availability. Sensitive data may be exposed through unauthorized database access, and application stability may be affected if malicious SQL causes service disruption. Integrity is not impacted, meaning the vulnerability is not expected to allow unauthorized modification of data.
The correction in the note validates user input before it is passed to the database, preventing malicious SQL from being executed.
SAP Security Note 3733064 addresses a missing authentication check vulnerability in SAP Commerce Cloud configuration, tracked as CVE-2026-34263. The issue is caused by an improper Spring Security configuration with overly permissive access rules and incorrect rule ordering, which may allow unauthenticated access to sensitive configuration upload functionality.
The vulnerability could allow an unauthenticated attacker to upload a malicious configuration and inject code. When the malicious input is later processed by a legitimate user, it may result in arbitrary server-side code execution. This creates a serious risk to the affected SAP Commerce Cloud application because successful exploitation can compromise confidentiality, integrity, and availability.
The main risk is that an attacker may be able to execute unauthorized code on the server without first authenticating to the application. This could lead to unauthorized access to sensitive data, manipulation of application behavior or configuration, and disruption of system availability. The vulnerability is especially critical because it affects sensitive administrative functionality related to Backoffice configuration upload.
SAP has addressed the vulnerability by disabling configuration upload functionality by default, preventing unauthenticated access to the affected endpoint and reducing the risk of malicious configuration-based code execution. Organizations should apply the relevant SAP Commerce Cloud patch release as soon as possible.
The fix is available in the following releases: SAP Commerce Cloud 2205.49, 2211.51, and 2211-jdk21.10. Organizations should also review FAQ document 3746113 for detailed guidance on the vulnerability and required remediation actions.
SAP Security Note 3732471 fixes a high-risk OS command injection vulnerability in SAP Forecasting & Replenishment, tracked as CVE-2026-34259. The vulnerability could allow an authenticated attacker with administrative authorizations to abuse a non-remote-enabled function to execute arbitrary operating system commands.
The issue is caused by insufficient control over operating system commands executed through function module input parameters, including input sourced from an upstream component. Successful exploitation could allow the attacker to read, modify, or delete system data, execute unauthorized commands at the operating system level, or shut down the system.
This vulnerability has a severe impact because it can lead to complete compromise of confidentiality, integrity, and availability. An attacker with the required access could potentially gain control over the affected system environment, alter business-critical data, disrupt application operations, or use the compromised host as a foothold for further attacks.
SAP has corrected the issue by adding authorization checks and screening operating system commands before execution. Organizations using SAP Forecasting & Replenishment should implement the relevant Correction Instructions or Support Packages referenced in SAP Security Note 3732471 as soon as possible to reduce the risk of OS command execution and full system compromise.