PT-2026-42206 · Npm · @Cap-Js/Db-Service+2
Published
2026-05-20
·
Updated
2026-05-26
·
CVE-2026-46421
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Impact
On April 29, 2026, compromised versions of
@cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, and @cap-js/db-service@2.10.1 were published.
The malicious packages harvested credentials and attempted self-propagation.
If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.Patches
Upgrade to
@cap-js/sqlite >= 2.4.0, @cap-js/postgres >= 2.3.0, @cap-js/db-service >= 2.11.0.
If a compromised version was ever installed, rotate all affected credentials.Workarounds
No workarounds.
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Cap-Js/Db-Service
@Cap-Js/Postgres
@Cap-Js/Sqlite