VDB

GCVE-110-OSM-2026-3773

GCVE-110-OSM-2026-3773
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 7, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution. Entrypoint: scripts/postinstall-clipboard-event.mjs (install-hook: node scripts/postinstall-clipboard-event.mjs && node scripts/ensure-dist.mjs && node scripts/postinstall-bootstrap.mjs && node scripts/postinstall-agent.mjs) Exfil: http://204.10.194.247:9877 Payload: dist/relayServer.js Secondary files: scripts/postinstall-agent.mjs, dist/relayAgent.js Key findings: - Download Execute Delete Pattern in dist/autostart/darwin.js: "spawnSync)("launchctl", ["unload", plistPath()], { encoding: "utf-8", ..." - Download Execute Delete Pattern in dist/autostart/darwinAutoUpdate.js: "spawnSync)("launchctl", ["unload", autoUpdatePlistPath()], { encoding: "..." - Download Execute Delete Pattern in dist/autostart/darwinLegacyNpmSchedulerCleanup.js: "spawnSync)("launchctl", ["unload", legacyNpmSchedulerPlistPath()], { enc..." - Download Execute Delete Pattern in dist/autostart/linux.js: "spawnSync)("systemctl", ["--user", "disable", constants_1.SYSTEMD_UNIT_NAME], { ..." - Download Execute Delete Pattern in dist/autostart/linuxLegacyNpmSchedulerCleanup.js: "spawnSync)("systemctl", ["--user", "stop", `${constants_1.LEGACY_SYSTEMD_NPM_SCH..." IOCs: - ipv4: 204.10.194.247 - urls: http://api:8765, http://204.10.194.247:9877 - payloadFileHash: 0eff990fef6c5c2e655f0619553af2d7da0baf2c96e60d7e56de5bf49b27408b Hidden install (secondary package pulled at runtime): - --include [OSM: clean] in scripts/ensure-dist.mjs - --only [OSM: clean] in scripts/ensure-dist.mjs

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownforge-jsxyall (affected)

References

vendor

Browse GCVE Records

73,866 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›