VDB

GCVE-110-OSM-2026-1574

GCVE-110-OSM-2026-1574
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 8, 2026
Suspected dependency confusion attack. Behaviors: data exfiltration, code execution, network activity, install-time execution. Payload: index.js Key findings: - Environment Variable Exfiltration in index.js: "process.env[key]) data[key] = process.env[key].substring(0, 100); }); /..." - OAST/Interactsh Exfiltration in index.js: ".oast.fun" - Shell Command Execution in index.js: "require('child_process')" - Suspicious Domain in index.js: "oast.fun" IOCs: - domains: ienfcixqbgvbxkccdoxgfz2zhmspdpiys.oast.fun - payloadFileHash: 5ffb817bec3deeec1eb1dc22abb1f4048e98019d378d53dde51e7a97508fe4b9

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowngprofilerall (affected)

References

vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›