The proxy in Testcafe seems to support only HTTP Basic Authorization but not NTLM required by the company proxy.
Therefore I'm using an intermediate proxy capable of NTLM (cntlm). Credentials are set by the intermediate proxy - Testcafe does not have to authorize at the intermediate proxy.
I analyzed the traffic between Testcafe and intermediate proxy (failing with HTTP 407 triggered by the company proxy) and compared it with traffic between curl and the intermediate proxy (succeeding):
While curl sets
Proxy-Connection: keep-alive
Testcafe sets
Connection: close
If I force curl to use the same Connection setting as Testcafe it fails as well with HTTP 407.