VDB

GCVE-110-OSM-2026-4267

GCVE-110-OSM-2026-4267
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 14, 2026
[osmalyze-auto] Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code, install-time execution. [osmalyze-auto] Entrypoint: scripts/only-allow-pnpm.js (install-hook: node ./scripts/only-allow-pnpm.js pnpm) Payload: packages/migrate/src/SchemaEngineCLI.ts Secondary files: packages/client-generator-js/src/TSClient/PrismaClient.ts, packages/client-generator-ts/src/TSClient/PrismaClient.ts Key findings: - Corporate Environment Targeting in packages/cli/src/utils/prompt/utils/templates/sortModels.ts: "tModels(models: DMMF.Model[]): DMMF.Model[] { return models.sort((a, b) => { ..." - Environment Variable Exfiltration in packages/client-generator-js/src/TSClient/PrismaClient.ts: "process.env.DATABASE_URL }) * }) * // Fetch" - Corporate Environment Targeting in packages/client-generator-js/src/TSClient/jsdoc.ts: "tModelArgName(ctx.model.name, ctx.action)}} args - Arguments to filter" - Environment Variable Exfiltration in packages/client-generator-js/src/utils/buildDebugInitialization.ts: "process.env`. The entry point fetch" - Environment Variable Exfiltration in packages/client-generator-ts/src/TSClient/PrismaClient.ts: "process.env.DATABASE_URL }) }) // Fetch" IOCs: - ipv6: 9::, 8::, 2::, a8::, 0:: (+5 more) - urls: https://www.prisma.io/docs/concepts/components/prisma-client/debugging, https://www.prisma.io/docs/concepts/components/prisma-client/working-with-prismaclient/logging, https://pris.ly/orm-roadmap, https://git.io/codeql-language-support, https://crontab.guru (+45 more) - domains: www.prisma.io, pris.ly, octokit.github.io, git.io, get.scoop.sh (+39 more) - emails: hello@prisma.io, alice@prisma.io, security@prisma.io, 1@prisma.io, 2@prisma.io (+45 more) - bitcoinAddresses: 347pnakNevPmiHhNmZ2HbFA76w, 1MkgTCuvMGWuqVtAvkpkXFmtL8XhWy, 1TC5ZBCERW82LQuwfGnCa1V8w7dpYH1yNu, 1AvkDdZM2dbyFybL4fxpuNCaWyv, 1A94B18jkJ3DYq284ohPxoXbfTA5HsQ7 (+1 more) - sha256Hashes: 22c9945888fd6d5b192072895db91a1c0357f6ed932993d04689c716cf828bb2, 78450b9d6ba2e0ab22212d06b328aae737ea02dfd1a608a7a208cb0ee4b300e1, 1deadbeef2deadbeef3deadbeef4deadbeef5deadbeef6deadbeef7deadbeef8, 3c82ee6cd9fedaec18a5e7cd3fc41f8c6b3dd32575dc13443d96aab4bd018411, 5d11bcce386042472d19a6a4f58e40041ebc5932c972e1449cbf404f3e3c4a7a (+2 more) - binaryHashes: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - payloadFileHash: c8bd90db042fc6fe3d8d082a151363c671c4703da645699cda24505bbab493e2

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownprisma-callbackall (affected)

References

vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›