GHSA-jpvj-wpmj-h7rv: Supply chain compromise via malicious @cap-js/openapi

June 4, 2026

On May 19, 2026, a compromised version of @cap-js/openapi@1.4.1 was published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.

References

github.com/advisories/GHSA-jpvj-wpmj-h7rv
github.com/cap-js/openapi/security/advisories/GHSA-jpvj-wpmj-h7rv
me.sap.com/notes/3747787
www.sap.com/documents/2026/05/8203a8b9-4d7f-0010-bca6-c68f7e60039b.html

Code Behaviors & Features

Detect and mitigate GHSA-jpvj-wpmj-h7rv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →