VDB
GCVE-110-OSM-2026-1752
GCVE-110-OSM-2026-1752
Advisory PublishedCVSS 8.8/10
Typosquats eslint-plugin-import (41M+ weekly downloads) via a preinstall hook that silently contacts attacker-controlled domain eslintdep.org, receives a platform-keyed JSON list of package names, and probes the victim's OS package manager (dpkg-query/brew/winget) to fingerprint the installed toolchain; a broken shellEscape regex permits shell metacharacters (|, ;, >, &) in exec() calls, enabling remote code execution via any crafted entry in the C2 response.
Trigger (preinstall): executes node ./lib/preinstall.js at install time with no user disclosure.
Stage-2 fetch: GETs https://eslintdep.org/packages/eslint-import-utils/required.json over HTTPS; parses the response as a platform-keyed object of package name arrays. Live C2 response confirmed via secure_get: {"win32":[],"darwin":["node"],"linux":["build-essential","node-gyp"]} — currently targeting Node.js developers.
OS fingerprinting: iterates the platform-specific package list and calls exec() with dpkg-query -W <pkg> (Linux), brew list <pkg> (macOS), or winget list --id <pkg> (Windows).
RCE path: shellEscape regex allows characters |, ;, >, & — any crafted entry in the C2 response injects arbitrary shell commands at install time.
Gating: exits 1 (blocking install) if any required package is absent, enabling the attacker to gate payload delivery to targets with specific toolchains installed.
No data is transmitted outbound; the C2 payload is served entirely from eslintdep.org and can be updated without re-publishing to npm.
C2 infrastructure: eslintdep.org resolves to 64.44.154.207; TLS certificate issued 2026-03-16. required.json SHA256: dd2283b770f22350122c3e9162e088fee13edb483f36f6962ecc83a80fb423d3.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | eslint-import-utils | all versions (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.