Supply chain compromise via malicious @cap-js/openapi

GHSA-jpvj-wpmj-h7rv

Published Jun 4, 2026 · Modified Jun 4, 2026

Description

Impact

On May 19, 2026, a compromised version of @cap-js/openapi@1.4.1 was published.
The malicious packages harvested credentials and attempted self-propagation.
If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.

Patches

Upgrade to @cap-js/openapi >= 1.4.2
If the compromised version was ever installed, rotate all affected credentials.

Workarounds

No workarounds.

References

SAP Note 3747787
Developer FAQ

References

WEB https://github.com/cap-js/openapi/security/advisories/GHSA-jpvj-wpmj-h7rv
PACKAGE https://github.com/cap-js/openapi
WEB https://me.sap.com/notes/3747787
WEB https://www.sap.com/documents/2026/05/8203a8b9-4d7f-0010-bca6-c68f7e60039b.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes