VDB

GCVE-110-OSM-2026-5062

GCVE-110-OSM-2026-5062
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 27, 2026
Malicious npm package in the oob.moika.tech dependency-confusion campaign, published by account 'mr.4nd3r50n' impersonating a cloud platform provider's internal micro-frontend modules. A postinstall hook exfiltrates the full environment (process.env credentials, tokens, secrets) and host metadata to https://oob.moika.tech/report and runs a detached OS-specific second-stage payload. Malicious payload found in: package.json (postinstall hook) -> scripts/postinstall.js Hardcoded campaign constants: CALLBACK_URL = https://oob.moika.tech/report PAYLOAD_BASE = https://oob.moika.tech/payload SECRET (X-Secret header) = l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 Behavior: postinstall sleeps 3s (sandbox evasion), detects OS, downloads second stage https://oob.moika.tech/payload/{mac|win|linux}.js to OS temp dir, spawns it detached (survives npm install exit), then POSTs full process.env + hostname, username, platform, architecture, cwd and Node version to https://oob.moika.tech/report with X-Secret header. Fallback beacon sends system data directly if second-stage download fails. Exfiltrates any credentials in env: NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, database URLs. Temp/marker artifacts: ._cloudplatform-single-spa_init.js, ._t-in-one_init.js, ~/.cache/._t-in-one_init/ Social engineering: README frames exfil as 'anonymous telemetry' with fake opt-out env vars and fabricated internal docs/registry URLs (docs.<target>.io, jira.<target>.io, npm.<target>.io).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@cloudplatform-single-spa/dataplatform-nessieall (affected)

Browse GCVE Records

71,925 records in the GCVE database · Updated July 13, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›