GHSA-8pqq-224h-x875: ogham-mcp had credentials embedded in published PyPI sdists -- Neon postgres URLs and Voyage API key

May 5, 2026

Between 2026-02 and 2026-04-24 a total of 22 public PyPI sdists of ogham-mcp contained development credentials embedded in source files. All credentials have since been rotated on the respective providers. No known exploitation. Upgrade to v0.11.1 to get a clean release.

References

github.com/advisories/GHSA-8pqq-224h-x875
github.com/ogham-mcp/ogham-mcp
github.com/ogham-mcp/ogham-mcp/security/advisories/GHSA-8pqq-224h-x875

Code Behaviors & Features

Detect and mitigate GHSA-8pqq-224h-x875 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →