VDB
GCVE-110-OSM-2026-3313
GCVE-110-OSM-2026-3313
Advisory PublishedCVSS 5.4/10
Bug bounty dependency confusion attempt. Package exfiltrates basic system information (hostname, IP, DNS) to security research infrastructure. Behaviors: data exfiltration, code execution, network activity, obfuscated code.
Payload: build/_app/immutable/chunks/chart.00dpLzGo.js
Secondary files: build/_app/immutable/nodes/12.qIXiJNPu.js, build/_app/immutable/nodes/0.Dejso4k4.js
Key findings:
- Download Execute Delete Pattern in bin/build-app.mjs: "writeFileSync(join(routesDir, '+page.svelte'), APP_LANDING_STUB, 'utf8');
log..."
- Reconstructed Obfuscated URL in bin/huntflow.mjs: "http://localhost:3000"
- OAST/Interactsh Exfiltration in build/_app/immutable/chunks/bookmarkStore.BGIIfmEA.js: "oastify.com"
- IOCs Found in Deobfuscated Code in build/_app/immutable/chunks/chart.00dpLzGo.js
- IOCs Found in Deobfuscated Code in build/_app/immutable/nodes/12.qIXiJNPu.js
IOCs:
- ipv4: 3.5.7.7, 55.47.98.97
- ipv6: 70::, 500::
- urls: https://huntflow.app, http://localhost:3000`, https://hackerone.com/example, http://xxxxx.oastify.com\`, http://169.254.169.254/latest/meta-data/\` (+47 more)
- domains: hackerone.com, xxxxx.oastify.com, owasp.org, mas.owasp.org, portswigger.net (+24 more)
- emails: target.tld@attacker.tld, attacker@evil.tld, feedback@huntflow.local, sync@huntflow.app
- oastEndpoints: http://xxxxx.oastify.com
- _domainCandidates: www.chartjs.org, t.chart.chartArea.top
- payloadFileHash: cfe725ba8ab2fbd61b9e34a4761dfe11c41b2da7f81c41fb906552b680531aa6
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | huntflow | all (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.