GHSA-JPVJ-WPMJ-H7RV: GHSA-JPVJ-WPMJ-H7RV: Supply Chain Compromise and Malicious Code Injection in @cap-js/openapi

GHSA-JPVJ-WPMJ-H7RV: Supply Chain Compromise and Malicious Code Injection in @cap-js/openapi

Vulnerability ID: GHSA-JPVJ-WPMJ-H7RV
CVSS Score: 9.6
Published: 2026-06-04

A critical supply chain compromise was identified in the Node.js package @cap-js/openapi at version 1.4.1. An attacker gained unauthorized publishing access to the npm registry and distributed a backdoored release that harvests sensitive developer credentials, environment variables, and SSH keys. The malicious code then exfiltrates the collected data to external actor-controlled servers.

TL;DR

Malicious version 1.4.1 of @cap-js/openapi was published to npm to harvest and exfiltrate credentials, SSH keys, and tokens.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• Vulnerability Type: Supply Chain Compromise
• CWE ID: CWE-506
• Attack Vector: Network (AV:N)
• CVSS v3.1 Score: 9.6
• Exploit Status: Active exploitation in the wild
• Target Component: @cap-js/openapi
• Affected Version: 1.4.1

Affected Systems

• @cap-js/openapi on npm
• SAP Cloud Application Programming Model Node.js Environments
• @cap-js/openapi: = 1.4.1 (Fixed in: 1.4.2)

Exploit Details

• GitHub Security Advisory Database: Advisory detailing active exploitation and embedded malicious code mechanics

Mitigation Strategies

• Upgrade to non-compromised versions of @cap-js/openapi.
• Perform extensive credential rotation on affected hosts.
• Enforce lockfile checksum integrity verification.
• Configure private network egress filtering to block suspicious C2 communication.

Remediation Steps:

1. Verify whether version 1.4.1 was installed via 'npm ls @cap-js/openapi'.
2. Force update to version 1.4.2 or higher using 'npm install @cap-js/openapi@latest'.
3. Identify infected environments and isolate them from the network immediately.
4. Revoke and rotate npm registry tokens, GitHub personal access tokens, AWS keys, and private SSH keys present on compromised machines.

References

• GHSA-JPVJ-WPMJ-H7RV Security Advisory
• SAP Security Note 3747787
• SAP Security Advisory Document
• GitHub Advisory Database Entry

---

Read the full report for GHSA-JPVJ-WPMJ-H7RV on our website for more details including interactive diagrams and full exploit analysis.