{"id":"MAL-2026-4161","summary":"Malicious code in @cap-js/openapi (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (243c059793e8b277fc77959046b7b064cb740d568fa53e4d30b9075660d9dab5)\nThe package @cap-js/openapi was found to contain malicious code.\n\n## Source: google-open-source-security (847ef6b381d410bf176f7414a6f0fbbcf46a5f39b6d9011e126b279bd2d781df)\nThis package was compromised as part of the ongoing \"Mini Shai-Hulud is back\" worm by the TeamPCP threat actor.\n\nThe package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.\n","modified":"2026-05-19T18:02:14.674560436Z","published":"2026-05-19T05:00:00Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-19T05:36:35Z","versions":["1.4.1"],"sha256":"847ef6b381d410bf176f7414a6f0fbbcf46a5f39b6d9011e126b279bd2d781df","import_time":"2026-05-19T05:55:55.089101Z","source":"google-open-source-security"},{"modified_time":"2026-05-19T16:47:48Z","versions":["1.4.1"],"import_time":"2026-05-19T17:50:34.716698784Z","sha256":"243c059793e8b277fc77959046b7b064cb740d568fa53e4d30b9075660d9dab5","source":"amazon-inspector"}]},"references":[{"type":"ARTICLE","url":"https://socket.dev/blog/antv-packages-compromised"},{"type":"ARTICLE","url":"https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/"},{"type":"ARTICLE","url":"https://opensourcemalware.com/blog/teampcp-compromises-npm-maintainer-with-over-540-packages"}],"affected":[{"package":{"name":"@cap-js/openapi","ecosystem":"npm","purl":"pkg:npm/%40cap-js%2Fopenapi"},"versions":["1.4.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@cap-js/openapi/MAL-2026-4161.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}