3759444 - Malicious Open-Source Packages in NPM ecosystem - Impact on SAP SuccessFactors

• On April 29, 2026, malicious versions of open-source packages were distributed within the NPM ecosystem. Then, on May 18, 2026, another malicious NPM package was detected. These malicious versions appear to exfiltrate information, such as credentials, and attempt to propagate into downstream software packages as well as adjacent software repositories when installed on a system.
• Is there any impact on SuccessFactors?

SAP SuccessFactors HCM Suite

• To date, there is no evidence that SAP-hosted customer data has been impacted. No additional systems or data beyond the SAP open-source NPM packages were affected by this issue.
  SAP cannot disclose further details regarding its ongoing investigation.
• SAP cannot determine whether individual customer environments may have been affected. If you are uncertain about the status of your systems, wherever applicable, it is important to take prompt action by following the mitigation steps outlined in SAP note 3747787 to help maintain the security of your environment.
• For further information, please reach out to your account team contacts.

npm, supply chain, attack, successfactors, open-source, malicious, credentials, software packages , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , Problem