VDB

GCVE-110-OSM-2026-3060

GCVE-110-OSM-2026-3060
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 23, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. Payload: src/public/assets/bootstrap@5.3.7.js Secondary files: src/cjs/router/routerStatusDash.cjs, src/esm/discordUtils/discordUtils.mjs Key findings: - Corporate Environment Targeting in src/public/assets/bootstrap@5.3.7.js: "tModifiers$1 = [eventListeners, popperOffsets$1, computeSt" - Dynamic Base64 Decoding in src/cjs/security/crypto.service.cjs: "Buffer.from(encryptedDataB64, 'base64')" - Dynamic Base64 Decoding in src/esm/security/crypto.service.mjs: "Buffer.from(encryptedDataB64, "base64")" IOCs: - urls: https://exemplo.com/arquivo.zip, https://docs.renovatebot.com/renovate-schema.json, https://.+/, https://twitch.tv, http://ns.adobe.com/xap/1.0/ (+7 more) - domains: exemplo.com, docs.renovatebot.com, cdn.discordapp.com, twitch.tv, guild.members.me (+7 more) - emails: bootstrap@5.3.7.css, bootstrap@5.3.7.js - sha256Hashes: cc9c387ac2aad7fa8040738f47ae0ab43e2b77027d188e272a147b1829e3a53f - payloadFileHash: b50f5cddd735b748fd115d88b70ab1d592b4aa3acb6b28f4fa5fe5484814e593

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnpm-package-nodejs-utils-lda1.0.77 (affected)

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›