VDB
GCVE-110-OSM-2026-3161
GCVE-110-OSM-2026-3161
Advisory PublishedCVSS 8.8/10
Injects confirmed-malicious packages web-api-node and api-ts-utils as phantom dependencies, causing npm to silently install credential-stealing malware on any machine that runs 'npm install ts-node-utils'.
ts-node-utils@8.0.6 ships an unmodified copy of the legitimate ts-node compiled source as cover. package.json declares web-api-node@^1.3.3 and api-ts-utils@^2.1.3 as dependencies, but neither package is require()d anywhere across all 49 JavaScript source files in the package. npm installs both automatically on 'npm install ts-node-utils'. web-api-node (same publisher ffffrakyevin, frankykevin.dev@gmail.com) injects require("gleb-js") at module load time inside a trojanized big.js copy. api-ts-utils (same publisher, already submitted to OSM) is a confirmed credential stealer. Author field spoofs Blake Embrey (legitimate ts-node maintainer); repository URL points to TypeStrong/ts-node as cover. Publisher frankykevin.dev@gmail.com is on the DeceptiveDevelopment (DPRK) watchlist. sha256(dist/index.js): 18fadde57c41189f42a4fc4a6ccf5e4a7d219ca0d4264deb3619188b89deac3d.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ts-node-utils | 8.0.6 (affected) | — |
Browse GCVE Records
72,580 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.