VDB
GCVE-110-OSM-2026-3464
GCVE-110-OSM-2026-3464
Advisory PublishedCVSS 8.8/10
Steals the identity of npm author sindresorhus by spoofing `sindresorhus@gmail.com` as the package author email and pointing the repository URL at the legitimate `github.com/sindresorhus/unique-string`, while the actual publisher (`jr10162025@proton.me`, username jason2) is a confirmed threat actor on the DeceptiveDevelopment watchlist. The package typosquats `unique-string` (25.6M+ weekly downloads) with 113 weekly installs already accrued — any future version from the controlling actor can deploy a malicious payload to existing installs.
**Trigger**: No install hooks declared (`preinstall`, `postinstall`, `install` all absent). The threat is actor-controlled namespace rather than active payload.
**Identity spoofing**: `package.json` sets `author.email` to `sindresorhus@gmail.com` (the legitimate original author) and `repository.url` to `git+https://github.com/sindresorhus/unique-string.git` (the legitimate upstream project). The npm registry `_npmUser` record confirms the actual publisher as `jr10162025@proton.me` (username: jason2).
**Tarball provenance**: `has_git_head: false` — the tarball was hand-assembled without a git checkout. Published via manual credential-based push with no OIDC or CI/CD provenance.
**Current source** (`index.js`, 141 bytes, plaintext ES module): `import cryptoRandomString from 'crypto-random-string'; export default function uniqueString() { return cryptoRandomString({length: 32}); }` — a verbatim copy of the legitimate package logic. No obfuscation, no network calls, no eval/exec sinks.
**Actor context**: The same publisher account (`jr10162025@proton.me`) published confirmed malicious packages in the same session, establishing a pattern of staging clean typosquat namespaces alongside active malware deployments.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | unique-string-32 | 1.0.0 (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.