VDB

GCVE-110-OSM-2026-3003

GCVE-110-OSM-2026-3003
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 22, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. Payload: src/postgres.js Secondary files: .genie/scripts/helpers/bullet-id.js, bin/pgserve-wrapper.cjs Key findings: - Reconstructed Obfuscated URL in src/postgres.js: "https://registry.npmjs.org/@embedded-postgres/windows-x64" - Dynamic Code Execution in .genie/scripts/helpers/analyze-commit.js: "exec(message)" - Shell Command Execution in .genie/scripts/helpers/analyze-commit.js: "require('child_process')" - Shell Command Execution in .genie/scripts/helpers/bullet-counter.js: "require('child_process')" - Shell Command Execution in .genie/scripts/helpers/bullet-find.js: "require('child_process')" IOCs: - ipv4: 1.1.3.10 - ipv6: 1::, 2:: - urls: https://www.conventionalcommits.org/, https://forge.namastex.ai/tasks/abc123, https://docs.gitguardian.com/ggshield-docs/reference/gitguardian-yaml, https://namastex.ai, https://bun.sh/docs/runtime/bunfig (+4 more) - domains: www.conventionalcommits.org, husky.sh, docs.gitguardian.com, bun.sh, namastex.com (+6 more) - emails: genie@namastex.ai, 120363421396472428@g.us, 120363345897732032@g.us, pessoa@namastex.ai, 5511999999999@s.whatsapp.net (+4 more) - payloadFileHash: 06e074cd33d9cd1e8c7a74e5b900b3814e3c8ea629c1553551c23a15ecddd44b

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpgserve1.1.10 (affected)

References

advisory
vendor

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›