VDB

GCVE-110-OSM-2026-3464

GCVE-110-OSM-2026-3464
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 1, 2026
Steals the identity of npm author sindresorhus by spoofing `sindresorhus@gmail.com` as the package author email and pointing the repository URL at the legitimate `github.com/sindresorhus/unique-string`, while the actual publisher (`jr10162025@proton.me`, username jason2) is a confirmed threat actor on the DeceptiveDevelopment watchlist. The package typosquats `unique-string` (25.6M+ weekly downloads) with 113 weekly installs already accrued — any future version from the controlling actor can deploy a malicious payload to existing installs. **Trigger**: No install hooks declared (`preinstall`, `postinstall`, `install` all absent). The threat is actor-controlled namespace rather than active payload. **Identity spoofing**: `package.json` sets `author.email` to `sindresorhus@gmail.com` (the legitimate original author) and `repository.url` to `git+https://github.com/sindresorhus/unique-string.git` (the legitimate upstream project). The npm registry `_npmUser` record confirms the actual publisher as `jr10162025@proton.me` (username: jason2). **Tarball provenance**: `has_git_head: false` — the tarball was hand-assembled without a git checkout. Published via manual credential-based push with no OIDC or CI/CD provenance. **Current source** (`index.js`, 141 bytes, plaintext ES module): `import cryptoRandomString from 'crypto-random-string'; export default function uniqueString() { return cryptoRandomString({length: 32}); }` — a verbatim copy of the legitimate package logic. No obfuscation, no network calls, no eval/exec sinks. **Actor context**: The same publisher account (`jr10162025@proton.me`) published confirmed malicious packages in the same session, establishing a pattern of staging clean typosquat namespaces alongside active malware deployments.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownunique-string-321.0.0 (affected)

References

vendor

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›