Critical severityGHSA Advisory· Published May 20, 2026· Updated May 20, 2026
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)
CVE-2026-46421
Description
Impact
On April 29, 2026, compromised versions of @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, and @cap-js/db-service@2.10.1 were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.
Patches
Upgrade to @cap-js/sqlite >= 2.4.0, @cap-js/postgres >= 2.3.0, @cap-js/db-service >= 2.11.0. If a compromised version was ever installed, rotate all affected credentials.
Workarounds
No workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@cap-js/sqlitenpm | >= 2.2.2, < 2.3.0 | 2.3.0 |
@cap-js/postgresnpm | >= 2.2.2, < 2.3.0 | 2.3.0 |
@cap-js/db-servicenpm | >= 2.10.1, < 2.11.0 | 2.11.0 |
Affected products
1Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.