PT-2026-49155 — @Cap-Js/Openapi

PT-2026-49155 · Npm · @Cap-Js/Openapi

Published

2026-06-04

Updated

2026-06-04

CVSS v3.1

9.6

Critical

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Impact

On May 19, 2026, a compromised version of @cap-js/openapi@1.4.1 was published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.

Patches

Upgrade to @cap-js/openapi >= 1.4.2 If the compromised version was ever installed, rotate all affected credentials.

Workarounds

No workarounds.

References

SAP Note 3747787
Developer FAQ

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-506

Related Identifiers

GHSA-JPVJ-WPMJ-H7RV

Affected Products

@Cap-Js/Openapi