VDB
GCVE-110-OSM-2026-2602
GCVE-110-OSM-2026-2602
Advisory PublishedCVSS 5.4/10
Installs platform-specific native binaries (macOS, Linux, Windows) with full permissions (0777) via postinstall hook on a hijacked package originally created in 2019. The compiled OCaml binaries import full POSIX networking (socket, connect, send, recv, getaddrinfo), process execution (fork, execv, execve, execvp, system), and environment access (getenv) capabilities. Version 1.0.0 published 2026-04-16 weaponizes a previously dormant package.
**Trigger** (`postinstall`): executes `node ./postinstall.js` at install time.
**Architecture detection**: runs `getconf LONG_BIT` via `execSync` on Linux to determine architecture.
**Binary installation**: copies platform-specific compiled OCaml binary (platform-darwin/bin/Upgrade, platform-linux/bin/Upgrade, or platform-windows-x64/bin/Upgrade.exe) to bin/ directory and sets permissions to 0777.
**Secondary extraction**: runs esyInstallRelease.js which extracts _export/bloodyowl_upgrade_reason_react-9dfa120e.tar.gz into esy store path.
**Native capabilities**: all three binaries are compiled OCaml programs with full Unix module imports — socket, connect, bind, listen, send, recv, accept, execv, execve, execvp, fork, system, dlopen, getaddrinfo, gethostbyname, getenv. No C2 URLs or domains were found in binary string analysis.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | bloodyowl-upgrade-reason-react | 1.0.0 (affected) | — |
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.