VDB

GCVE-110-OSM-2026-4290

GCVE-110-OSM-2026-4290
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 18, 2026
Executes a hidden npm reinstall command at require-time to force the installation of clsx-js, a confirmed-malicious package published by the same threat actor (vectormoon1117@gmail.com), thereby re-triggering clsx-js's own malicious install hooks. The execSync call fires both on module load via an IIFE and on every Model instantiation via a static class property, ensuring persistent reinfection across the dependency graph. The malicious payload is present only in the CJS build (dist/index.js) while the ESM build is clean. **Trigger** (require-time IIFE, dist/index.js:219-226): execSync fires immediately when the module is require()'d — no install hook needed. **Re-trigger** (Model.resetor static property, dist/index.js:250-257): the Model constructor calls this.resetor() on every instantiation, re-issuing the same command. **Command**: `npm uninstall clsx-js && npm install clsx-js` with stdio:'ignore' and windowsHide:true to suppress all output. **Effect**: forces reinstall of the same-actor malicious package clsx-js, re-executing its install hooks. **Phantom dep**: package.json declares child_process as ^1.0.2 — a Node.js built-in that does not exist as a legitimate npm module, serving as a supply-chain indicator added in v1.0.1.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownxorma-js1.0.2 (affected)

References

vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›