VDB
GCVE-110-OSM-2026-3773
GCVE-110-OSM-2026-3773
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution.
Entrypoint: scripts/postinstall-clipboard-event.mjs (install-hook: node scripts/postinstall-clipboard-event.mjs && node scripts/ensure-dist.mjs && node scripts/postinstall-bootstrap.mjs && node scripts/postinstall-agent.mjs)
Exfil: http://204.10.194.247:9877
Payload: dist/relayServer.js
Secondary files: scripts/postinstall-agent.mjs, dist/relayAgent.js
Key findings:
- Download Execute Delete Pattern in dist/autostart/darwin.js: "spawnSync)("launchctl", ["unload", plistPath()], {
encoding: "utf-8",
..."
- Download Execute Delete Pattern in dist/autostart/darwinAutoUpdate.js: "spawnSync)("launchctl", ["unload", autoUpdatePlistPath()], {
encoding: "..."
- Download Execute Delete Pattern in dist/autostart/darwinLegacyNpmSchedulerCleanup.js: "spawnSync)("launchctl", ["unload", legacyNpmSchedulerPlistPath()], {
enc..."
- Download Execute Delete Pattern in dist/autostart/linux.js: "spawnSync)("systemctl", ["--user", "disable", constants_1.SYSTEMD_UNIT_NAME], {
..."
- Download Execute Delete Pattern in dist/autostart/linuxLegacyNpmSchedulerCleanup.js: "spawnSync)("systemctl", ["--user", "stop", `${constants_1.LEGACY_SYSTEMD_NPM_SCH..."
IOCs:
- ipv4: 204.10.194.247
- urls: http://api:8765, http://204.10.194.247:9877
- payloadFileHash: 0eff990fef6c5c2e655f0619553af2d7da0baf2c96e60d7e56de5bf49b27408b
Hidden install (secondary package pulled at runtime):
- --include [OSM: clean] in scripts/ensure-dist.mjs
- --only [OSM: clean] in scripts/ensure-dist.mjs
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | forge-jsxy | all (affected) | — |
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.