{"data":{"id":"71437032-941c-4c13-8f12-d858b2a654b6","title":"GHSA-8pqq-224h-x875: ogham-mcp had credentials embedded in published PyPI sdists -- Neon postgres URLs and Voyage API key","summary":"Between February and April 2026, the ogham-mcp package accidentally published 22 versions on PyPI (the Python package repository) with embedded credentials, including database passwords for Neon postgres (a database service) and a Voyage AI API key (a token that grants access to an AI service). No evidence of actual misuse was found, and all credentials have been rotated by the maintainers.","solution":"Upgrade to v0.11.1 immediately by running: pip install --upgrade \"ogham-mcp>=0.11.1\". This version removes the leaked credentials and adds automated scanning to prevent future credential leaks. Users do not need to rotate credentials on their own end, as the exposed credentials belonged to the project maintainers, not to users.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-8pqq-224h-x875","publishedAt":"2026-05-05T00:03:48.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["ogham-mcp@>= 0.6.3, < 0.11.1 (fixed: 0.11.1)"],"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Neon","Voyage AI","ogham-mcp"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-05-05T00:03:48.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}