VDB
GCVE-110-OSM-2026-3437
GCVE-110-OSM-2026-3437
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, install-time execution.
Payload: .bash_history
Secondary files: apple-clean/package.json
Key findings:
- OAST/Interactsh Exfiltration in .bash_history: "webhook.site"
- OAST/Interactsh Exfiltration in apple-clean/apple-supply-chain-poc/package.json: "webhook.site"
- OAST/Interactsh Exfiltration in apple-clean/package.json: "webhook.site"
- OAST/Interactsh Exfiltration in apple-final-poc/package.json: "webhook.site"
- OAST/Interactsh Exfiltration in index.js: "webhook.site"
IOCs:
- ipv4: 1.2.0.0
- ipv6: a::, d::, 4::, A::
- urls: http://169.254.169.254/latest/meta-data/iam/security-credentials/, https://franki.requestcatcher.com/apple-full-harvest;, https://franki.requestcatcher.com/test-koneksi, https://webhook.site/d9f34800-21dd-4668-8773-1f3c7ea8b1be;, https://webhook.site/d9f34800-21dd-4668-8773-1f3c7ea8b1be (+46 more)
- domains: franki.requestcatcher.com, registry.npmmirror.com, pip.pypa.io, badges.gitter.im, gitter.im (+38 more)
- emails: js@jamesls.com, gustavo@niemeyer.net, tomi.pievilainen@iki.fi, me@jarondl.net, paul@ganssle.io (+6 more)
- bitcoinAddresses: 3ddbdf4f3a9c1a45e75789998266f759
- awsAccessKeys: AKIAIWAZLKZYOJLZERHQ
- webhookServices: https://webhook.site/d9f34800-21dd-4668-8773-1f3c7ea8b1be;, https://webhook.site/d9f34800-21dd-4668-8773-1f3c7ea8b1be, https://webhook.site/${webID}?info=${data}&status=pwned`);, https://webhook.site/162f1419-988b-4611-9d44-c0df27e0d579, https://webhook.site/bebcbad8-da0e-43e1-af8d-9d069ca3bd42 (+3 more)
- binaryHashes: 265e8cf44352b0f8c2b5b7d74c07682ae452fab79f19e6142f48dd32f59feaf7
- payloadFileHash: 0ef19454dad9462a9c38b2bebac1a244a5c6ec108cf5e91c7fbb02a90942af19
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | apple-security-internal-scanner-v3 | all (affected) | — |
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.