GHSA-8pqq-224h-x875: ogham-mcp had credentials embedded in published PyPI sdists -- Neon postgres URLs and Voyage API key
Summary
Between February and April 2026, the ogham-mcp package accidentally published 22 versions on PyPI (the Python package repository) with embedded credentials, including database passwords for Neon postgres (a database service) and a Voyage AI API key (a token that grants access to an AI service). No evidence of actual misuse was found, and all credentials have been rotated by the maintainers.
Solution / Mitigation
Upgrade to v0.11.1 immediately by running: pip install --upgrade "ogham-mcp>=0.11.1". This version removes the leaked credentials and adds automated scanning to prevent future credential leaks. Users do not need to rotate credentials on their own end, as the exposed credentials belonged to the project maintainers, not to users.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-8pqq-224h-x875
First tracked: May 5, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 92%