VDB

GCVE-110-OSM-2026-1900

GCVE-110-OSM-2026-1900
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published February 27, 2026
PolinRider (DPRK) active upstream injection attempt. Open PR #342 from fork Hassam-01/octree adds the PolinRider obfuscated payload (signature: "rmcej%otb%",2857687, tag 9-1148-1) to postcss.config.mjs under the cover of a legitimate-looking commit titled "fix(save): prevent excessive save requests using useRef". The upstream main branch of octree-labs/octree (244 stars) is currently CLEAN — this is a Category B near-miss. Submitter's fork Hassam-01/octree is already documented in OSM. === UPSTREAM INJECTION ATTEMPT (ACTIVE, OPEN) === Attack type: Fork-and-PR upstream injection Fork repo: Hassam-01/octree (already in OSM) Parent repo: octree-labs/octree (244 stars) Fork created: 2026-02-27 PR opened: 2026-02-27 — https://github.com/octree-labs/octree/pull/342 PR state at submission: open PR title: fix(save): prevent excessive save requests using useRef === PAYLOAD === Infected file (in fork): postcss.config.mjs Signature: global['!']='9-1148-1'; var _$_1e42=(function(l,e){...})("rmcej%otb%",2857687) Attack disguise: The legitimate PR changes touch app/projects/[projectId]/page.tsx, hooks/use-document-save.ts (the ostensible "fix"), and then add the malicious payload by appending it after export default config; in postcss.config.mjs with whitespace padding to push it off-screen in code review UIs. === PR STATUS === PRs to parent: 1 (open) Parent infected: No (near miss) Parent stars: 244 Parent is not a fork; downstream impact of merge would be significant. === AUTHOR === Hassam-01 (Hassam Ali), account 2023-12-30, 44 public repos, 6 followers. Profile pattern consistent with a compromised real developer.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected)

References

Browse GCVE Records

73,196 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›