VDB

GCVE-110-OSM-2026-2544

GCVE-110-OSM-2026-2544
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published April 16, 2026
Dependency confusion package squatting on Walmart's internal utility namespace, part of a multi-target campaign by confirmed malicious actor realvivek07 (vivekkashyap0707@gmail.com) targeting Walmart, Comcast, and Paysafe. Sibling packages paysafe-venmo@99.99.2 and paysafe-apple-pay@99.99.2 from the same account carry postinstall hooks that exfiltrate USERPROFILE and APPDATA environment variables via HTTPS, and were seized by the npm security team. The tarball is deleted and unrecoverable; 100 weekly downloads confirm the package resolved in real build environments before removal. **Mechanism:** Dependency confusion namespace occupation targeting Walmart's internal utilities namespace. The package was a minimal stub (241 bytes, 3 files), manually published without git provenance, with no declared install scripts. **Actor campaign:** The publisher (vivekkashyap0707@gmail.com / realvivek07) operates a coordinated dep-confusion campaign. Confirmed sibling behavior (paysafe-venmo@99.99.2): postinstall hook collects `USERPROFILE`, `APPDATA`, and OS environment variables and exfiltrates them via HTTPS. npm seized those packages after abuse detection. This package was published simultaneously with walmart-core@1.0.0, comcast-api@1.0.0, and comcast-internal@1.0.0 on 2026-04-11 — a batch namespace reservation campaign. **Limitation:** Tarball is unrecoverable from npm, npmmirror, and Huawei mirror. Payload confirmation is not possible; candidate is actor-attributed.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownwalmart-utils1.0.0 (affected)

References

vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›