On April 29, 2026, someone slipped malicious code into four widely used SAP software packages. Within days, the infection had spread to at least 169 packages across the npm registry, the world’s ...