Intelligence
criticalVulnerabilityActive

Supply Chain Compromise: Malicious @cap-js/openapi Package with Credential Harvesting

A compromised npm package (@cap-js/openapi v1.4.1) was published containing malicious code that harvests machine-local credentials and attempts self-propagation. Organizations must assume all credentials accessible during installation are compromised.

S
Sebastion

Affected

@cap-js/openapi@1.4.1

Vulnerability Description

This incident represents a supply chain attack via compromised npm package. The malicious code in @cap-js/openapi v1.4.1 exhibits classic credential-harvesting malware behavior: exfiltration of npm tokens, cloud provider credentials (AWS, Azure, GCP), SSH keys, and GitHub Personal Access Tokens (PATs). The self-propagation mechanism indicates the attacker aimed for lateral spread through compromised developer environments and CI/CD pipelines. This is a post-install code execution vulnerability class, where arbitrary code runs during the npm install phase with the privileges of the installing user.

Proof-of-Concept Significance

While this advisory describes an actual incident rather than a PoC, the significance is that the compromise was confirmed in production on May 19, 2026. This proves supply chain attacks against popular packages are executable and reliable—the attacker successfully infiltrated SAP's ecosystem and published to npm's public registry. The precondition is minimal: any developer or CI/CD system installing the affected version between publication and removal automatically becomes a target.

Detection Guidance

Immediate Indicators:

  • Package manager logs showing @cap-js/openapi@1.4.1 installation
  • Unexpected child processes spawned during npm install (monitor post-install hook execution)
  • Outbound connections from npm post-install scripts to external C2 or exfiltration servers
  • File access patterns targeting ~/.ssh, ~/.npm, ~/.config, environment variables containing credentials
  • Modified ~/.npmrc or ~/.gitconfig files

Log Indicators:

  • npm debug logs showing post-install script execution with unusual command patterns
  • Network egress to unknown IPs during package installation
  • Process spawning bash/powershell children from node.exe or npm.exe

Mitigation Steps

  1. Immediate: Audit all systems and CI/CD pipelines for @cap-js/openapi@1.4.1 in package-lock.json or yarn.lock
  2. Patch: Upgrade to @cap-js/openapi >= 1.4.2 immediately
  3. Credential Rotation: Assume ALL credentials accessible on affected machines are compromised—rotate npm tokens, AWS keys, Azure credentials, SSH keys, GitHub PATs, and any other secrets
  4. Audit: Review git logs and CI/CD activity during the compromise window for unusual commits or deployments
  5. Prevention: Implement npm post-install hook monitoring, package integrity verification (npm audit), and consider lockfile-only installs

Risk Assessment

Likelihood: Very High. Supply chain attacks are increasingly sophisticated and attractive to threat actors. npm's scale makes it a high-value target. Threat Actor Interest: Critical—this demonstrates active exploitation. The self-propagation mechanism and credential harvesting indicate organized threat actors seeking persistent access to enterprise environments. Given SAP's prominence, this attack likely targets large organizations with valuable credentials. Organizations should assume active, ongoing exploitation attempts and treat credential rotation as an emergency security incident.

Sources

pocsupply-chainnpmcredential-theftmalwarepackage-compromiseself-propagation
Back to intelligence