VDB
GCVE-110-OSM-2026-3480
GCVE-110-OSM-2026-3480
Advisory PublishedCVSS 9.6/10
[osmalyze-auto] Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code.
[osmalyze-auto] Entrypoint: dist/hls.js (main: ./dist/hls.js)
Payload: dist/hls.js
Secondary files: dist/hls.mjs, dist/hls-demo.js
Key findings:
- Corporate Environment Targeting in dist/hls-demo.js: "tmovin (Safari and Edge? only as of 2020-08)',
abr: true,
skipFunc..."
- Corporate Environment Targeting in dist/hls.js: "tmost matching pattern on each iteration,
// until no match"
- Global Variable Shadowing in dist/hls.js: "var module={"
- Corporate Environment Targeting in dist/hls.light.js: "tmost matching pattern on each iteration,
// until no match"
- Global Variable Shadowing in dist/hls.light.js: "var module={"
IOCs:
- ipv4: 4.4.3.2, 4.3.2.4, 7.3.2.1, 4.1.3.1, 4.1.1.3 (+2 more)
- urls: http://www.dailymotion.com, https://data.jsdelivr.com/v1/package/npm/hls.js/badge?style=rounded, https://saucelabs.com/buildstatus/robwalch, https://app.saucelabs.com/u/robwalch, https://data.jsdelivr.com/v1/package/npm/hls.js/badge (+45 more)
- domains: www.dailymotion.com, data.jsdelivr.com, www.jsdelivr.com, saucelabs.com, app.saucelabs.com (+42 more)
- emails: iz@onicos.co.jp
- sha256Hashes: ac67852f1625b338f9d1fb96be089d03557d50bfc5790d5f48dc56799f59dec6
- payloadFileHash: d0df309cc0d5ea47b7742e5253f9debf204dba86941dd5769f59fbf55f266fbc
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | hls.js | 1.6.16 (affected) | — |
Aliases
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.