VDB

GCVE-110-OSM-2026-3480

GCVE-110-OSM-2026-3480
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 4, 2026
[osmalyze-auto] Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. [osmalyze-auto] Entrypoint: dist/hls.js (main: ./dist/hls.js) Payload: dist/hls.js Secondary files: dist/hls.mjs, dist/hls-demo.js Key findings: - Corporate Environment Targeting in dist/hls-demo.js: "tmovin (Safari and Edge? only as of 2020-08)', abr: true, skipFunc..." - Corporate Environment Targeting in dist/hls.js: "tmost matching pattern on each iteration, // until no match" - Global Variable Shadowing in dist/hls.js: "var module={" - Corporate Environment Targeting in dist/hls.light.js: "tmost matching pattern on each iteration, // until no match" - Global Variable Shadowing in dist/hls.light.js: "var module={" IOCs: - ipv4: 4.4.3.2, 4.3.2.4, 7.3.2.1, 4.1.3.1, 4.1.1.3 (+2 more) - urls: http://www.dailymotion.com, https://data.jsdelivr.com/v1/package/npm/hls.js/badge?style=rounded, https://saucelabs.com/buildstatus/robwalch, https://app.saucelabs.com/u/robwalch, https://data.jsdelivr.com/v1/package/npm/hls.js/badge (+45 more) - domains: www.dailymotion.com, data.jsdelivr.com, www.jsdelivr.com, saucelabs.com, app.saucelabs.com (+42 more) - emails: iz@onicos.co.jp - sha256Hashes: ac67852f1625b338f9d1fb96be089d03557d50bfc5790d5f48dc56799f59dec6 - payloadFileHash: d0df309cc0d5ea47b7742e5253f9debf204dba86941dd5769f59fbf55f266fbc

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownhls.js1.6.16 (affected)

References

advisory
vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›