VDB

GCVE-110-OSM-2026-2602

GCVE-110-OSM-2026-2602
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published April 17, 2026
Installs platform-specific native binaries (macOS, Linux, Windows) with full permissions (0777) via postinstall hook on a hijacked package originally created in 2019. The compiled OCaml binaries import full POSIX networking (socket, connect, send, recv, getaddrinfo), process execution (fork, execv, execve, execvp, system), and environment access (getenv) capabilities. Version 1.0.0 published 2026-04-16 weaponizes a previously dormant package. **Trigger** (`postinstall`): executes `node ./postinstall.js` at install time. **Architecture detection**: runs `getconf LONG_BIT` via `execSync` on Linux to determine architecture. **Binary installation**: copies platform-specific compiled OCaml binary (platform-darwin/bin/Upgrade, platform-linux/bin/Upgrade, or platform-windows-x64/bin/Upgrade.exe) to bin/ directory and sets permissions to 0777. **Secondary extraction**: runs esyInstallRelease.js which extracts _export/bloodyowl_upgrade_reason_react-9dfa120e.tar.gz into esy store path. **Native capabilities**: all three binaries are compiled OCaml programs with full Unix module imports — socket, connect, bind, listen, send, recv, accept, execv, execve, execvp, fork, system, dlopen, getaddrinfo, gethostbyname, getenv. No C2 URLs or domains were found in binary string analysis.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownbloodyowl-upgrade-reason-react1.0.0 (affected)

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›