VDB

GCVE-110-OSM-2026-2656

GCVE-110-OSM-2026-2656
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published April 17, 2026
Exfiltrates environment variables (USERDOMAIN, USERDNSDOMAIN), system info (username, hostname, platform), and git remote URL to an attacker-controlled Supabase webhook at baoreqygjveumkkxydcd.supabase.co via a preinstall hook. Data is base64-encoded in a query parameter using payload token npm_doctolib_v916 for victim organization fingerprinting. Part of a coordinated dependency confusion campaign targeting Doctolib's internal npm namespace — shares C2 infrastructure and publisher account with sibling package paddle-internal-scripts. **Trigger** (`preinstall`): executes `node scripts/audit.js` at install time. **Collection**: reads environment variables `USERDOMAIN` and `USERDNSDOMAIN`; reads `os.userInfo()`, `os.hostname()`, `os.platform()` via Node.js OS APIs; spawns `git remote -v` via `execSync` to capture the victim repository's git remote URL for organization identification. **Encoding**: collected data serialized and base64-encoded in query parameter format `npm_doctolib_v916_<b64>`. **Exfiltration**: GET request to `https://baoreqygjveumkkxydcd.supabase.co/functions/v1/Webhook_OOB?data=npm_doctolib_v916_<b64>`. Three live HTTPS connections to this endpoint were confirmed at install time. Same C2 as sibling package paddle-internal-scripts.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownrenovate-config-doctolib9.9.16 (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›