VDB
GCVE-110-OSM-2026-4640
GCVE-110-OSM-2026-4640
Advisory PublishedCVSS 9.6/10
[osmalyze-auto] Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code, install-time execution.
[osmalyze-auto] Entrypoint: scripts/postinstall.mjs (install-hook: node scripts/postinstall.mjs)
Exfil: https://links.ethers.org/v5-errors- (custom-c2, recovery: plaintext in dist/index.js)
Payload: dist/index.js
Key findings:
- Environment Variable Exfiltration in dist/index.js: "process.env.npm_package_version??"0.1.0"}`}}async function Sh(t,e,r,i){let n=awa..."
- Dynamic Code Execution in dist/index.js: "exec(v)"
- XOR-Encoded String Arrays in dist/index.js: "var Ei=[1116352408,3609767458,1899447441,602891725,3049323471,3964484399,3921009..."
- Data Encoding for Exfiltration in dist/index.js: "Buffer.from(e.auth.username+":"+e.auth.password,"utf8").toString("base64")"
- Dynamic C2 Endpoint Construction in dist/index.js: "function FI(t,e,r){let i;for await(let n of e)try{n.length<2?n.call(t,r):await n..."
IOCs:
- urls: https://links.ethers.org/v5-errors-
- domains: matteocollina.com, vnd.ctct.ws, vnd.eu, vnd.net, vnd.si (+2 more)
- emails: hello@matteocollina.com
- ethereumAddresses: 0x0000000000000000000000000000000000000000, 0xdFE02Eb6733538f8Ea35D585af8DE5958AD99E40, 0xd91E80cF2E7be2e162c6513ceD06f1dD0dA35296, 0xC5d563A36AE78145C45a50134d48A1215220f80a, 0x9c4e1703476e875070ee25b56a58b008cfb8fa78 (+4 more)
- sha256Hashes: c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470, 1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347, 56e81f171bcc55a6ff8345e692c0f86e5b48e01b996cadc001622fb5e363b421
- payloadFileHash: e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | polymarket-ai-agent | 0.1.1 (affected) | — |
Aliases
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.