GHSA-jpvj-wpmj-h7rvCriticalCVSS 9.6Disclosed before NVD

Supply chain compromise via malicious @cap-js/openapi

Published
June 4, 2026
Last Modified
June 4, 2026

📋 Description

Impact

On May 19, 2026, a compromised version of @cap-js/[email protected] was published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.

Patches

Upgrade to @cap-js/openapi >= 1.4.2 If the compromised version was ever installed, rotate all affected credentials.

Workarounds

No workarounds.

References

🎯 Affected products1

  • npm/@cap-js/openapi:= 1.4.1

🔗 References (4)