VDB

GCVE-110-OSM-2026-2600

GCVE-110-OSM-2026-2600
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published April 17, 2026
Hijacked esy/ReasonML package published from a compromised npm account. The postinstall hook drops platform-specific native binaries (Mach-O x86_64, ELF x86-64) with full POSIX capability surface including networking, process execution, and file system access. The postinstall hook (node ./postinstall.js) detects the host platform (linux or darwin) and copies the matching native binary from platform-{darwin,linux}/bin/reason-i18n-extractor to bin/ with chmod 0777. It then extracts an esy store tarball and runs esyInstallRelease.js which rewrites embedded store path prefixes in the binary and installs it into the local esy store. The darwin binary is a 964,148-byte Mach-O x86_64 executable and the linux binary is a 1,591,128-byte ELF x86-64 executable, both compiled with OCaml via the esy build system. The binaries import the full POSIX socket API (socket, connect, send, recv, getaddrinfo, gethostbyname), process execution functions (fork, execv, execve, execvp, system), dynamic loading (dlopen, dlsym), and comprehensive file operations. No C2 URLs, domains, or IP addresses were extractable from string analysis of either binary. No network connections or process spawns were observed during sandbox execution. The package was published from the hijacked bloodyowl npm account (mlbli@me.com) at 2026-04-16T18:10:48Z, 6 seconds after the confirmed malicious bloodyowl-upgrade-reason-react package. No Windows binary is included; postinstall exits with error on non-linux/darwin platforms.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownreason-i18n-extractor5.0.0 (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›