VDB
GCVE-110-OSM-2026-1403
GCVE-110-OSM-2026-1403
Advisory PublishedCVSS 9.6/10
Executes attacker-controlled JavaScript from https://www.jsonkeeper.com/b/GLHZE and https://www.jsonkeeper.com/b/8YQEM via two fetch(atob(...))+eval IIFEs on every require(), while impersonating the real feross/buffer package (34M+ weekly downloads) by forging the author's name, email, and repository URL.
index.js inserts two IIFEs immediately after the Buffer.TYPED_ARRAY_SUPPORT block: both decode a base64 URL (randomStringRe → /b/GLHZE, tokenStringRe → /b/8YQEM), fetch JSON from jsonkeeper.com, and eval response.content. Package claims author feross@feross.org and links to github.com/feross/buffer but is not the real buffer package. Suspicious additions: axios, request, execp as production dependencies. 5 versions published in 43 minutes on 2026-03-30.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | buffer-util-extend | — | — |
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.