Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) — CVE-2026-46421
GitHub · GitHub · CVE-2026-46421
ID
CVE-2026-46421
CVE-2026-46421
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
Summary
## Impact On April 29, 2026, compromised versions of `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, and `@cap-js/db-service@2.10.1` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised. ##…
Product
npm: @cap-js/sqlite | npm: @cap-js/postgres | npm: @cap-js/db-service
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.