VDB

GCVE-110-OSM-2026-4743

GCVE-110-OSM-2026-4743
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 26, 2026
Exfiltrates system identity and CI/CD pipeline context to attacker-controlled out-of-band (OAST) infrastructure on every npm install. The postinstall hook runs whoami and id via child_process.execSync, collects hostname, platform, working directory, and environment variables CI, GITHUB_REPOSITORY, and NODE_ENV, then sends all data via HTTPS GET to md3zp4gf8gwxh437mjijacjbe2ky8pwe.oastify.com/github with a secondary DNS beacon for out-of-band confirmation. The OAST domain (Burp Collaborator infrastructure) confirms a remote operator actively monitors each installation callback. **Trigger** (`postinstall`): executes `node postinstall.js` at install time via the `postinstall` hook in `package.json`. **Collection**: calls `execSync('whoami')` and `execSync('id')` to capture user identity; reads `os.hostname()`, `os.platform()`, `process.cwd()` for system context; reads environment variables `process.env.CI`, `process.env.GITHUB_REPOSITORY`, and `process.env.NODE_ENV` to detect CI/CD pipeline execution. **Exfiltration**: issues HTTPS GET request to `https://md3zp4gf8gwxh437mjijacjbe2ky8pwe.oastify.com/github` with all collected data encoded as query parameters. **Out-of-band channel**: performs DNS beacon to `${payload.whoami}.md3zp4gf8gwxh437mjijacjbe2ky8pwe.oastify.com`, encoding the victim username as a DNS subdomain label to provide the operator a secondary confirmation channel that bypasses HTTP-layer blocking. **Operator monitoring**: Burp Collaborator (oastify.com) OAST infrastructure logs both HTTP and DNS callbacks, confirming a human operator is actively monitoring installs. Package description 'Security research canary — github' indicates deliberate CI/CD pipeline targeting.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownverify-mycommand2.0.4 (affected)

References

vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›