VDB
GCVE-110-OSM-2026-2544
GCVE-110-OSM-2026-2544
Advisory PublishedCVSS 5.4/10
Dependency confusion package squatting on Walmart's internal utility namespace, part of a multi-target campaign by confirmed malicious actor realvivek07 (vivekkashyap0707@gmail.com) targeting Walmart, Comcast, and Paysafe. Sibling packages paysafe-venmo@99.99.2 and paysafe-apple-pay@99.99.2 from the same account carry postinstall hooks that exfiltrate USERPROFILE and APPDATA environment variables via HTTPS, and were seized by the npm security team. The tarball is deleted and unrecoverable; 100 weekly downloads confirm the package resolved in real build environments before removal.
**Mechanism:** Dependency confusion namespace occupation targeting Walmart's internal utilities namespace. The package was a minimal stub (241 bytes, 3 files), manually published without git provenance, with no declared install scripts.
**Actor campaign:** The publisher (vivekkashyap0707@gmail.com / realvivek07) operates a coordinated dep-confusion campaign. Confirmed sibling behavior (paysafe-venmo@99.99.2): postinstall hook collects `USERPROFILE`, `APPDATA`, and OS environment variables and exfiltrates them via HTTPS. npm seized those packages after abuse detection. This package was published simultaneously with walmart-core@1.0.0, comcast-api@1.0.0, and comcast-internal@1.0.0 on 2026-04-11 — a batch namespace reservation campaign.
**Limitation:** Tarball is unrecoverable from npm, npmmirror, and Huawei mirror. Payload confirmation is not possible; candidate is actor-attributed.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | walmart-utils | 1.0.0 (affected) | — |
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.