VYPR
Critical severityGHSA Advisory· Published May 20, 2026· Updated May 20, 2026

Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)

CVE-2026-46421

Description

Impact

On April 29, 2026, compromised versions of @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, and @cap-js/db-service@2.10.1 were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.

Patches

Upgrade to @cap-js/sqlite >= 2.4.0, @cap-js/postgres >= 2.3.0, @cap-js/db-service >= 2.11.0. If a compromised version was ever installed, rotate all affected credentials.

Workarounds

No workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@cap-js/sqlitenpm
>= 2.2.2, < 2.3.02.3.0
@cap-js/postgresnpm
>= 2.2.2, < 2.3.02.3.0
@cap-js/db-servicenpm
>= 2.10.1, < 2.11.02.11.0

Affected products

1

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.