Description
The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project’s CI infrastructure to embed malicious packages into four release versions of @opensearch-project/opensearch.
Recommendation
No fix is available yet. Followings are affected versions:
**= 3.8.0 = 3.7.0 = 3.6.2 = 3.5.3**
References
Related Issues
- Malicious Package in coffee-project - Vulnerability
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations - CVE-2026-47717
- Incorrect default cookie name and recommendation - Vulnerability
You might also like:
- Tags:
- npm
- @opensearch-project/opensearch
Anything's wrong? Let us know Last updated on May 19, 2026