Skip to content

Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)

Critical severity GitHub Reviewed Published May 14, 2026 in cap-js/cds-dbs • Updated May 20, 2026

Package

npm @cap-js/db-service (npm)

Affected versions

= 2.10.1

Patched versions

2.11.0
npm @cap-js/postgres (npm)
= 2.2.2
2.3.0
npm @cap-js/sqlite (npm)
= 2.2.2
2.3.0

Description

Impact

On April 29, 2026, compromised versions of @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, and @cap-js/db-service@2.10.1 were published.
The malicious packages harvested credentials and attempted self-propagation.
If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised.

Patches

Upgrade to @cap-js/sqlite >= 2.4.0, @cap-js/postgres >= 2.3.0, @cap-js/db-service >= 2.11.0.
If a compromised version was ever installed, rotate all affected credentials.

Workarounds

No workarounds.

References

@patricebender patricebender published to cap-js/cds-dbs May 14, 2026
Published to the GitHub Advisory Database May 20, 2026
Reviewed May 20, 2026
Last updated May 20, 2026

Severity

Critical

EPSS score

Weaknesses

Embedded Malicious Code

The product contains code that appears to be malicious in nature. Learn more on MITRE.

CVE ID

CVE-2026-46421

GHSA ID

GHSA-pvw4-cvr4-97p8

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.