VDB

GCVE-110-OSM-2026-1792

GCVE-110-OSM-2026-1792
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 11, 2026
Garnet's story — what makes this malicious From Garnet events alone, without any external IOC feeds: The behavioral profile is clean. Only registry.npmjs.org egress. No postinstall beacon, no C2 callback, no credential access. That's the current runtime reality. But the intent is unambiguous from the code on disk. Garnet captured core.js being written to node_modules/eslint-vite/core.js. That file contains a Google Drive downloader + new Function() eval. The only reason it didn't execute is a bug in the malware — ESM syntax in a CJS package. The version progression tells the story of an active attacker iterating: v1.0.0 → v1.0.1: Changed the Google Drive file ID (rotated the payload) v1.0.1 → v1.0.2: Increased the setTimeout from 2s to 5s (tuning the exfil delay) All three versions published within 2 hours on April 9 The googleDrive.js module is a purpose-built stager: It handles Google's virus-scan warning page, follows redirects, and falls back to drive.usercontent.google.com if the first attempt returns HTML. This is not a utility — it's a loader designed to evade content inspection. The legitimate facade is thin. index.js and flat.js export real ESLint configs. The README.md references eslint-validator (not eslint-vite) — the author copy-pasted from another package. The files array in package.json explicitly includes googleDrive.js, which has zero relevance to an ESLint config. Verdict Malicious — broken loader stage. The package is a supply chain attack that failed to detonate due to a CommonJS/ESM incompatibility in the install hook. If the author fixes package.json to add "type": "module" (or rewrites core.js to use require()), the next version will successfully fetch and eval arbitrary JavaScript from Google Drive at install time. Garnet proved the package didn't phone home at the kernel level — the behavioral evidence is definitive. The code analysis confirms the intent. This is an attacker who's actively iterating (3 versions in 2 hours, payload rotation, timing adjustments) and will likely publish a working version soon. Malicious — broken loader stage. The package is a supply chain attack that failed to detonate due to a CommonJS/ESM incompatibility in the install hook. If the author fixes package.json to add "type": "module" (or rewrites core.js to use require()), the next version will successfully fetch and eval arbitrary JavaScript from Google Drive at install time.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowneslint-vite

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›