VDB

GCVE-110-OSM-2026-4030

GCVE-110-OSM-2026-4030
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 11, 2026
[osmalyze-auto] Malicious package detected. Behaviors: data exfiltration. [osmalyze-auto] Entrypoint: dist/index.js (main: ./dist/index.js) Payload: dist/components/ui/tree-view.cjs Secondary files: dist/components/ui/tree-view.js, dist/components/forms/demo-mocks.cjs Key findings: - Corporate Environment Targeting in dist/components/ui/tree-view.cjs: "tMousePos)) } }), ..." - Corporate Environment Targeting in dist/components/ui/tree-view.js: "tMousePos)) } }), ..." - Clipboard Access in dist/components/forms/schema-viewer.cjs: "navigator.clipboard.writeText" - Clipboard Access in dist/components/forms/schema-viewer.js: "navigator.clipboard.writeText" - Clipboard Access in dist/components/ui/code-block.cjs: "navigator.clipboard.writeText" IOCs: - urls: https://ui.shadcn.com, https://tailwindcss.com, https://magicui.design/docs/components/animated-gradient-text - domains: ui.shadcn.com, Command.Group, props.pl, props.ml, props.my (+3 more) - payloadFileHash: 293ce880d3c40f97af02be8f86cf0abb30d1f462d36564520570158dc28a4ad1

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@uipath/apollo-wind2.16.1 (affected)

References

vendor

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›