VDB
GCVE-110-OSM-2026-2656
GCVE-110-OSM-2026-2656
Advisory PublishedCVSS 5.4/10
Exfiltrates environment variables (USERDOMAIN, USERDNSDOMAIN), system info (username, hostname, platform), and git remote URL to an attacker-controlled Supabase webhook at baoreqygjveumkkxydcd.supabase.co via a preinstall hook. Data is base64-encoded in a query parameter using payload token npm_doctolib_v916 for victim organization fingerprinting. Part of a coordinated dependency confusion campaign targeting Doctolib's internal npm namespace — shares C2 infrastructure and publisher account with sibling package paddle-internal-scripts.
**Trigger** (`preinstall`): executes `node scripts/audit.js` at install time.
**Collection**: reads environment variables `USERDOMAIN` and `USERDNSDOMAIN`; reads `os.userInfo()`, `os.hostname()`, `os.platform()` via Node.js OS APIs; spawns `git remote -v` via `execSync` to capture the victim repository's git remote URL for organization identification.
**Encoding**: collected data serialized and base64-encoded in query parameter format `npm_doctolib_v916_<b64>`.
**Exfiltration**: GET request to `https://baoreqygjveumkkxydcd.supabase.co/functions/v1/Webhook_OOB?data=npm_doctolib_v916_<b64>`. Three live HTTPS connections to this endpoint were confirmed at install time. Same C2 as sibling package paddle-internal-scripts.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | renovate-config-doctolib | 9.9.16 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.