VDB

GCVE-110-OSM-2026-3161

GCVE-110-OSM-2026-3161
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 26, 2026
Injects confirmed-malicious packages web-api-node and api-ts-utils as phantom dependencies, causing npm to silently install credential-stealing malware on any machine that runs 'npm install ts-node-utils'. ts-node-utils@8.0.6 ships an unmodified copy of the legitimate ts-node compiled source as cover. package.json declares web-api-node@^1.3.3 and api-ts-utils@^2.1.3 as dependencies, but neither package is require()d anywhere across all 49 JavaScript source files in the package. npm installs both automatically on 'npm install ts-node-utils'. web-api-node (same publisher ffffrakyevin, frankykevin.dev@gmail.com) injects require("gleb-js") at module load time inside a trojanized big.js copy. api-ts-utils (same publisher, already submitted to OSM) is a confirmed credential stealer. Author field spoofs Blake Embrey (legitimate ts-node maintainer); repository URL points to TypeStrong/ts-node as cover. Publisher frankykevin.dev@gmail.com is on the DeceptiveDevelopment (DPRK) watchlist. sha256(dist/index.js): 18fadde57c41189f42a4fc4a6ccf5e4a7d219ca0d4264deb3619188b89deac3d.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownts-node-utils8.0.6 (affected)

References

vendor

Browse GCVE Records

72,580 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›