VDB

GCVE-110-OSM-2026-5090

GCVE-110-OSM-2026-5090
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 31, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution. Entrypoint: scripts/postinstall.cjs (install-hook: node scripts/postinstall.cjs) Exfil: https://auth.openai.com/oauth/token (reconstructed, recovery: reconstructed in dist/index-BEoqDM_G.mjs) Payload: dist/index-BEoqDM_G.mjs Secondary files: dist/index-DkcHmxcp.cjs, dist/types-5cdyGi0Z.mjs Key findings: - Environment Variable Exfiltration in dist/index-BEoqDM_G.mjs: "process.env.HAPPY_DAEMON_HTTP_TIMEOUT ? parseInt(process.env.HAPPY_DAEMON_HTTP_T..." - Download Execute Delete Pattern in dist/index-BEoqDM_G.mjs: "spawn'; import path, { resolve, join, isAbsolute } from 'node:path'; import { cr..." - Reconstructed Obfuscated URL in dist/index-BEoqDM_G.mjs: "https://auth.openai.com/oauth/token" - Environment Variable Exfiltration in dist/index-DkcHmxcp.cjs: "process.env.HAPPY_DAEMON_HTTP_TIMEOUT ? parseInt(process.env.HAPPY_DAEMON_HTTP_T..." - Reconstructed Obfuscated URL in dist/index-DkcHmxcp.cjs: "https://auth.openai.com/oauth/token" IOCs: - ipv4: 1.0.6.3 - ipv6: e::, 5::, d::, 7::, 9:: (+6 more) - urls: https://api.cluster-fluster.com`, https://app.happy.engineering`, http://127.0.0.1:PORT, https://claude.ai/code, https://happy.engineering (+16 more) - domains: 681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com, happy-api.ask-ggk.com, 6.pl, 5.fO, 48.si (+6 more) - emails: yesreply@happy.engineering, keys@app.happy.engineering, N@W3K.xf - payloadFileHash: 5386e73bdc5a6f49061ed5cf89cda4c2088cc57aff5e822c0e6dccc9fee6e536

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownggk-happy1.1.8 (affected)

References

advisory
vendor

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›