MAL-2026-3179
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mbt/MAL-2026-3179.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3179
- Published
- 2026-04-29T10:00:00Z
- Modified
- 2026-05-01T00:18:12.545166Z
- Summary
- Malicious code in mbt (npm)
- Details
-
Supply chain compromise of legitimate SAP packages published by threat actor "cloudmtabot@gmail.com" impersonating SAP toolchain maintainers. All four compromised packages share the same fingerprint: setup.mjs (4.4 KB) and execution.js (11.1 MB) bundled in the tarball, with a preinstall hook of "node setup.mjs". Notably, setup.mjs is explicitly excluded from the package.json 'files' allowlist yet is still shipped in the tarball — a manifest evasion technique intended to hide the malicious file from allowlist inspection while still executing it on install. execution.js (11.1 MB) is anomalously large for these packages and is consistent with an embedded payload or exfiltration binary. Packages were published 2026-04-29T09:55Z.
mbt (SAP Multi-Target Application Build Tool) is a high-impact CLI tool used in SAP CI/CD pipelines to compile and package MTA projects. Its privileged position in build environments makes it a valuable target for credential and token exfiltration.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (62b15ba37c3071554cc586ba582589ad51abba89e1be51e993afdf933a18c8b1)
The package mbt was found to contain malicious code.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "62b15ba37c3071554cc586ba582589ad51abba89e1be51e993afdf933a18c8b1", "import_time": "2026-04-30T22:23:10.078327513Z", "source": "amazon-inspector", "modified_time": "2026-04-30T21:59:18Z", "versions": [ "1.2.48" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
Affected packages
npm / mbt
Package
- Name
- mbt
- View open source insights on deps.dev
- Purl
- pkg:npm/mbt