VDB
GCVE-110-OSM-2026-1792
GCVE-110-OSM-2026-1792
Advisory PublishedCVSS 9.6/10
Garnet's story — what makes this malicious
From Garnet events alone, without any external IOC feeds:
The behavioral profile is clean. Only registry.npmjs.org egress. No postinstall beacon, no C2 callback, no credential access. That's the current runtime reality.
But the intent is unambiguous from the code on disk. Garnet captured core.js being written to node_modules/eslint-vite/core.js. That file contains a Google Drive downloader + new Function() eval. The only reason it didn't execute is a bug in the malware — ESM syntax in a CJS package.
The version progression tells the story of an active attacker iterating:
v1.0.0 → v1.0.1: Changed the Google Drive file ID (rotated the payload)
v1.0.1 → v1.0.2: Increased the setTimeout from 2s to 5s (tuning the exfil delay)
All three versions published within 2 hours on April 9
The googleDrive.js module is a purpose-built stager: It handles Google's virus-scan warning page, follows redirects, and falls back to drive.usercontent.google.com if the first attempt returns HTML. This is not a utility — it's a loader designed to evade content inspection.
The legitimate facade is thin. index.js and flat.js export real ESLint configs. The README.md references eslint-validator (not eslint-vite) — the author copy-pasted from another package. The files array in package.json explicitly includes googleDrive.js, which has zero relevance to an ESLint config.
Verdict
Malicious — broken loader stage. The package is a supply chain attack that failed to detonate due to a CommonJS/ESM incompatibility in the install hook. If the author fixes package.json to add "type": "module" (or rewrites core.js to use require()), the next version will successfully fetch and eval arbitrary JavaScript from Google Drive at install time.
Garnet proved the package didn't phone home at the kernel level — the behavioral evidence is definitive. The code analysis confirms the intent. This is an attacker who's actively iterating (3 versions in 2 hours, payload rotation, timing adjustments) and will likely publish a working version soon.
Malicious — broken loader stage. The package is a supply chain attack that failed to detonate due to a CommonJS/ESM incompatibility in the install hook. If the author fixes package.json to add "type": "module" (or rewrites core.js to use require()), the next version will successfully fetch and eval arbitrary JavaScript from Google Drive at install time.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | eslint-vite | — | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.