VDB
GCVE-110-OSM-2026-1900
GCVE-110-OSM-2026-1900
Advisory PublishedCVSS 8.8/10
PolinRider (DPRK) active upstream injection attempt. Open PR #342 from fork Hassam-01/octree adds the PolinRider obfuscated payload (signature: "rmcej%otb%",2857687, tag 9-1148-1) to postcss.config.mjs under the cover of a legitimate-looking commit titled "fix(save): prevent excessive save requests using useRef". The upstream main branch of octree-labs/octree (244 stars) is currently CLEAN — this is a Category B near-miss. Submitter's fork Hassam-01/octree is already documented in OSM.
=== UPSTREAM INJECTION ATTEMPT (ACTIVE, OPEN) ===
Attack type: Fork-and-PR upstream injection
Fork repo: Hassam-01/octree (already in OSM)
Parent repo: octree-labs/octree (244 stars)
Fork created: 2026-02-27
PR opened: 2026-02-27 — https://github.com/octree-labs/octree/pull/342
PR state at submission: open
PR title: fix(save): prevent excessive save requests using useRef
=== PAYLOAD ===
Infected file (in fork): postcss.config.mjs
Signature: global['!']='9-1148-1'; var _$_1e42=(function(l,e){...})("rmcej%otb%",2857687)
Attack disguise: The legitimate PR changes touch app/projects/[projectId]/page.tsx, hooks/use-document-save.ts (the ostensible "fix"), and then add the malicious payload by appending it after export default config; in postcss.config.mjs with whitespace padding to push it off-screen in code review UIs.
=== PR STATUS ===
PRs to parent: 1 (open)
Parent infected: No (near miss)
Parent stars: 244
Parent is not a fork; downstream impact of merge would be significant.
=== AUTHOR ===
Hassam-01 (Hassam Ali), account 2023-12-30, 44 public repos, 6 followers. Profile pattern consistent with a compromised real developer.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected) | — |
References
Malicious package:
advisory
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.