CVE-2026-46421: Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)

May 20, 2026

On April 29, 2026, compromised versions of @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, and @cap-js/db-service@2.10.1 were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.

References

github.com/advisories/GHSA-pvw4-cvr4-97p8
github.com/cap-js/cds-dbs/security/advisories/GHSA-pvw4-cvr4-97p8
me.sap.com/notes/3747787
nvd.nist.gov/vuln/detail/CVE-2026-46421
www.sap.com/documents/2026/05/8203a8b9-4d7f-0010-bca6-c68f7e60039b.html
www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared

Code Behaviors & Features

Detect and mitigate CVE-2026-46421 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →