VDB
GCVE-110-OSM-2026-2637
GCVE-110-OSM-2026-2637
Advisory PublishedCVSS 5.4/10
This payload doesn't do what it says it does. there is no color website functions in this package. While there is no overt malicious behaviour in this package right now, we are flagging it as a potential secondary artifact to be used in future threat campaigns.
Key findings:
- Very New NPM Publisher Account
- Rapid Version Publishing
- index.js has single function that logs user out of a website
Payload is probably going to be used by another package as part of a chained attack.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | add-colors-to-website | all (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.