VDB

GCVE-110-OSM-2026-2637

GCVE-110-OSM-2026-2637
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published April 17, 2026
This payload doesn't do what it says it does. there is no color website functions in this package. While there is no overt malicious behaviour in this package right now, we are flagging it as a potential secondary artifact to be used in future threat campaigns. Key findings: - Very New NPM Publisher Account - Rapid Version Publishing - index.js has single function that logs user out of a website Payload is probably going to be used by another package as part of a chained attack.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownadd-colors-to-websiteall (affected)

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›