Severity: Critical
CVSS Score: 9.7
### Impact On May 19, 2026, a compromised version of @cap-js/openapi@1.4.1 was published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised. ### Patches Upgrade to @cap-js/openapi >= 1.4.2 If the compromised version was ever installed, rotate all affected credentials. ### Workarounds No workarounds. ### References - [SAP Note 3747787](https://me.sap.com/notes/3747787) - [Developer FAQ](https://www.sap.com/documents/2026/05/8203a8b9-4d7f-0010-bca6-c68f7e60039b.html)