VDB

GCVE-110-OSM-2026-3313

GCVE-110-OSM-2026-3313
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published April 29, 2026
Bug bounty dependency confusion attempt. Package exfiltrates basic system information (hostname, IP, DNS) to security research infrastructure. Behaviors: data exfiltration, code execution, network activity, obfuscated code. Payload: build/_app/immutable/chunks/chart.00dpLzGo.js Secondary files: build/_app/immutable/nodes/12.qIXiJNPu.js, build/_app/immutable/nodes/0.Dejso4k4.js Key findings: - Download Execute Delete Pattern in bin/build-app.mjs: "writeFileSync(join(routesDir, '+page.svelte'), APP_LANDING_STUB, 'utf8'); log..." - Reconstructed Obfuscated URL in bin/huntflow.mjs: "http://localhost:3000" - OAST/Interactsh Exfiltration in build/_app/immutable/chunks/bookmarkStore.BGIIfmEA.js: "oastify.com" - IOCs Found in Deobfuscated Code in build/_app/immutable/chunks/chart.00dpLzGo.js - IOCs Found in Deobfuscated Code in build/_app/immutable/nodes/12.qIXiJNPu.js IOCs: - ipv4: 3.5.7.7, 55.47.98.97 - ipv6: 70::, 500:: - urls: https://huntflow.app, http://localhost:3000`, https://hackerone.com/example, http://xxxxx.oastify.com\`, http://169.254.169.254/latest/meta-data/\` (+47 more) - domains: hackerone.com, xxxxx.oastify.com, owasp.org, mas.owasp.org, portswigger.net (+24 more) - emails: target.tld@attacker.tld, attacker@evil.tld, feedback@huntflow.local, sync@huntflow.app - oastEndpoints: http://xxxxx.oastify.com - _domainCandidates: www.chartjs.org, t.chart.chartArea.top - payloadFileHash: cfe725ba8ab2fbd61b9e34a4761dfe11c41b2da7f81c41fb906552b680531aa6

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownhuntflowall (affected)

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›