VDB
GCVE-110-OSM-2026-2547
GCVE-110-OSM-2026-2547
Advisory PublishedCVSS 5.4/10
Dependency confusion package squatting on Comcast's internal npm namespace, published by a confirmed malicious actor (realvivek07 / vivekkashyap0707@gmail.com). The same account published paysafe-venmo@99.99.2 and paysafe-apple-pay@99.99.2 — packages with postinstall scripts that exfiltrate USERPROFILE and APPDATA environment variables via HTTPS — which were subsequently seized by the npm security team and replaced with 0.0.1-security tombstones. The package accumulated 113 weekly downloads before removal, indicating successful resolution by real Comcast build systems.
**Mechanism:** Dependency confusion namespace occupation. The package body is a hollow stub: `index.js` exports an empty object, with no install scripts, no dependencies, and no functional code (247 bytes total, 3 files). The malicious value is in the occupied namespace — any Comcast build system that resolves `comcast-internal` from the public npm registry instead of a private registry silently installs this stub.
**Actor pattern:** The publisher (vivekkashyap0707@gmail.com / realvivek07) operates a multi-target dependency confusion campaign. Sibling packages `paysafe-venmo@99.99.2` and `paysafe-apple-pay@99.99.2` from the same account carried postinstall hooks that collect and exfiltrate `USERPROFILE` and `APPDATA` environment variables via HTTPS. Those packages were manually published at version 99.99.2 — a deliberate version number to beat private registry version pinning. npm replaced them with 0.0.1-security tombstones following abuse detection.
**Timeline:** comcast-internal@1.0.0 was published 2026-04-11, one day before the paysafe-* payload versions — consistent with a staged campaign (namespace squat first, deploy payloads next). 113 weekly downloads confirm real CI/CD pickup before removal.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | comcast-internal | 1.0.0 (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.