VDB

GCVE-110-OSM-2026-1752

GCVE-110-OSM-2026-1752
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 10, 2026
Typosquats eslint-plugin-import (41M+ weekly downloads) via a preinstall hook that silently contacts attacker-controlled domain eslintdep.org, receives a platform-keyed JSON list of package names, and probes the victim's OS package manager (dpkg-query/brew/winget) to fingerprint the installed toolchain; a broken shellEscape regex permits shell metacharacters (|, ;, >, &) in exec() calls, enabling remote code execution via any crafted entry in the C2 response. Trigger (preinstall): executes node ./lib/preinstall.js at install time with no user disclosure. Stage-2 fetch: GETs https://eslintdep.org/packages/eslint-import-utils/required.json over HTTPS; parses the response as a platform-keyed object of package name arrays. Live C2 response confirmed via secure_get: {"win32":[],"darwin":["node"],"linux":["build-essential","node-gyp"]} — currently targeting Node.js developers. OS fingerprinting: iterates the platform-specific package list and calls exec() with dpkg-query -W <pkg> (Linux), brew list <pkg> (macOS), or winget list --id <pkg> (Windows). RCE path: shellEscape regex allows characters |, ;, >, & — any crafted entry in the C2 response injects arbitrary shell commands at install time. Gating: exits 1 (blocking install) if any required package is absent, enabling the attacker to gate payload delivery to targets with specific toolchains installed. No data is transmitted outbound; the C2 payload is served entirely from eslintdep.org and can be updated without re-publishing to npm. C2 infrastructure: eslintdep.org resolves to 64.44.154.207; TLS certificate issued 2026-03-16. required.json SHA256: dd2283b770f22350122c3e9162e088fee13edb483f36f6962ecc83a80fb423d3.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowneslint-import-utilsall versions (affected)

References

vendor

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›