VDB
GCVE-110-OSM-2026-2600
GCVE-110-OSM-2026-2600
Advisory PublishedCVSS 5.4/10
Hijacked esy/ReasonML package published from a compromised npm account. The postinstall hook drops platform-specific native binaries (Mach-O x86_64, ELF x86-64) with full POSIX capability surface including networking, process execution, and file system access.
The postinstall hook (node ./postinstall.js) detects the host platform (linux or darwin) and copies the matching native binary from platform-{darwin,linux}/bin/reason-i18n-extractor to bin/ with chmod 0777. It then extracts an esy store tarball and runs esyInstallRelease.js which rewrites embedded store path prefixes in the binary and installs it into the local esy store. The darwin binary is a 964,148-byte Mach-O x86_64 executable and the linux binary is a 1,591,128-byte ELF x86-64 executable, both compiled with OCaml via the esy build system. The binaries import the full POSIX socket API (socket, connect, send, recv, getaddrinfo, gethostbyname), process execution functions (fork, execv, execve, execvp, system), dynamic loading (dlopen, dlsym), and comprehensive file operations. No C2 URLs, domains, or IP addresses were extractable from string analysis of either binary. No network connections or process spawns were observed during sandbox execution. The package was published from the hijacked bloodyowl npm account (mlbli@me.com) at 2026-04-16T18:10:48Z, 6 seconds after the confirmed malicious bloodyowl-upgrade-reason-react package. No Windows binary is included; postinstall exits with error on non-linux/darwin platforms.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | reason-i18n-extractor | 5.0.0 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.