VDB

GCVE-110-OSM-2026-2552

GCVE-110-OSM-2026-2552
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 16, 2026
Malicious package detected. Behaviors: data exfiltration, obfuscated code, install-time execution. Payload: lib/env-check.js Secondary files: lib/reporter.js Key findings: - HTTP Data Exfiltration in lib/env-check.js: "os.userInfo().username, _p: os.platform(), _a: os.arch(), _d: ..." - Platform Detection with Data Collection in lib/env-check.js: "JSON.stringify({ _n: process.env.npm_package_name, _v: process.env.n..." - HTTP Data Exfiltration in lib/reporter.js: "os.hostname(), _u: os.userInfo().username, _p: os.platform(), ..." - Platform Detection with Data Collection in lib/reporter.js: "JSON.stringify({ _n: '@shopee-order/declarative-tracker', _c: ctx ||..." - Install Hook Executes Local JS File in package.json: ""postinstall": "node lib/env-check.js"" IOCs: - payloadFileHash: dcb0e55684c2b3a188946cc0eaca05b223941bc62fd09743e338272b39e7b1e5

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowndeclarative-trackerall (affected)

References

advisory
vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›