VDB

GCVE-110-OSM-2026-1403

GCVE-110-OSM-2026-1403
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published March 30, 2026
Executes attacker-controlled JavaScript from https://www.jsonkeeper.com/b/GLHZE and https://www.jsonkeeper.com/b/8YQEM via two fetch(atob(...))+eval IIFEs on every require(), while impersonating the real feross/buffer package (34M+ weekly downloads) by forging the author's name, email, and repository URL. index.js inserts two IIFEs immediately after the Buffer.TYPED_ARRAY_SUPPORT block: both decode a base64 URL (randomStringRe → /b/GLHZE, tokenStringRe → /b/8YQEM), fetch JSON from jsonkeeper.com, and eval response.content. Package claims author feross@feross.org and links to github.com/feross/buffer but is not the real buffer package. Suspicious additions: axios, request, execp as production dependencies. 5 versions published in 43 minutes on 2026-03-30.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownbuffer-util-extend

References

vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›