# [CRIT] [GHSA / CRITICAL] CVE-2026-46421: Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) **Source:** GitHub Security Advisories **Published:** 2026-05-20 **Article:** https://github.com/advisories/GHSA-pvw4-cvr4-97p8 ## Threat Profile Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) ## Impact On April 29, 2026, compromised versions of `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, and `@cap-js/db-service@2.10.1` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be co… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-46421` - **IPv4 (defanged):** `94.154.172.43` - **Domain (defanged):** `zero.masscan.cloud` - **SHA256:** `4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34` - **SHA256:** `6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95` - **SHA256:** `eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1195.002** — Compromise Software Supply Chain - **T1071** — Application Layer Protocol - **T1027** — Obfuscated Files or Information - **T1071.001** — Application Layer Protocol: Web Protocols - **T1071.004** — Application Layer Protocol: DNS - **T1041** — Exfiltration Over C2 Channel - **T1195.002** — Supply Chain Compromise: Compromise Software Supply Chain - **T1059.007** — Command and Scripting Interpreter: JavaScript - **T1552.001** — Unsecured Credentials: Credentials In Files ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Mini Shai-Hulud C2 callback to zero.masscan.cloud / 94.154.172.43 `UC_235_4` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.src) as src values(All_Traffic.dest) as dest values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.app) as app from datamodel=Network_Traffic where (All_Traffic.dest_ip="94.154.172.43" OR All_Traffic.dest="zero.masscan.cloud" OR All_Traffic.dest="*.masscan.cloud") by All_Traffic.src All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.app | `drop_dm_object_name(All_Traffic)` | append [| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(DNS.src) as src values(DNS.query) as query values(DNS.answer) as answer from datamodel=Network_Resolution where (DNS.query="zero.masscan.cloud" OR DNS.query="*.masscan.cloud" OR DNS.answer="94.154.172.43") by DNS.src DNS.query DNS.answer | `drop_dm_object_name(DNS)`] | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let MaliciousDomains = dynamic(["zero.masscan.cloud"]); let MaliciousIPs = dynamic(["94.154.172.43"]); let NetHits = DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteIP in (MaliciousIPs) or RemoteUrl has_any (MaliciousDomains) | project Timestamp, DeviceId, DeviceName, ActionType, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessAccountName, InitiatingProcessParentFileName; let DnsHits = DeviceEvents | where Timestamp > ago(30d) | where ActionType in ("DnsQueryResponse","DnsConnectionInspected","InboundConnectionAccepted") | where RemoteUrl has_any (MaliciousDomains) or RemoteIP in (MaliciousIPs) or AdditionalFields has "masscan.cloud" or AdditionalFields has "94.154.172.43" | project Timestamp, DeviceId, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields; union NetHits, DnsHits | order by Timestamp desc ``` ### Compromised @cap-js stealer artefact hash present on disk or in execution `UC_235_5` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.user) as user from datamodel=Endpoint.Filesystem where (Filesystem.file_hash IN ("4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34","6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95","eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb")) by Filesystem.dest Filesystem.file_name Filesystem.file_path Filesystem.process_name | `drop_dm_object_name(Filesystem)` | append [| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.process_hash IN ("4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34","6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95","eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb")) by Processes.dest Processes.process_name Processes.parent_process_name | `drop_dm_object_name(Processes)`] | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let CapJsHashes = dynamic([ "4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34", "6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95", "eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb"]); let FileHits = DeviceFileEvents | where Timestamp > ago(90d) | where SHA256 in (CapJsHashes) | project Timestamp, Source="DeviceFileEvents", DeviceId, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFolderPath; let ProcHits = DeviceProcessEvents | where Timestamp > ago(90d) | where SHA256 in (CapJsHashes) or InitiatingProcessSHA256 in (CapJsHashes) | project Timestamp, Source="DeviceProcessEvents", DeviceId, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName=InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName=AccountName, InitiatingProcessFolderPath=InitiatingProcessFolderPath; let ImgHits = DeviceImageLoadEvents | where Timestamp > ago(90d) | where SHA256 in (CapJsHashes) | project Timestamp, Source="DeviceImageLoadEvents", DeviceId, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName=InitiatingProcessAccountName, InitiatingProcessFolderPath; union FileHits, ProcHits, ImgHits | order by Timestamp desc ``` ### Trusted vendor binary / installer launching unusual children `UC_SUPPLY_CHAIN` · phase: **exploit** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("setup.exe","installer.exe","update.exe") AND Processes.process_name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("setup.exe","installer.exe","update.exe") | where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-46421` - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `94.154.172.43`, `zero.masscan.cloud` - **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High** - file hash IOC(s): `4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34`, `6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95`, `eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb` ## Why this matters Severity classified as **CRIT** based on: CVE present, IOCs present, 6 use case(s) fired, 10 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.