GHSA-jpvj-wpmj-h7rvCriticalCVSS 9.6Disclosed before NVD
Supply chain compromise via malicious @cap-js/openapi
📋 Description
Impact
On May 19, 2026, a compromised version of @cap-js/[email protected] was published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.
Patches
Upgrade to @cap-js/openapi >= 1.4.2 If the compromised version was ever installed, rotate all affected credentials.
Workarounds
No workarounds.
References
🎯 Affected products1
- npm/@cap-js/openapi:= 1.4.1