VDB
GCVE-110-OSM-2026-5090
GCVE-110-OSM-2026-5090
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution.
Entrypoint: scripts/postinstall.cjs (install-hook: node scripts/postinstall.cjs)
Exfil: https://auth.openai.com/oauth/token (reconstructed, recovery: reconstructed in dist/index-BEoqDM_G.mjs)
Payload: dist/index-BEoqDM_G.mjs
Secondary files: dist/index-DkcHmxcp.cjs, dist/types-5cdyGi0Z.mjs
Key findings:
- Environment Variable Exfiltration in dist/index-BEoqDM_G.mjs: "process.env.HAPPY_DAEMON_HTTP_TIMEOUT ? parseInt(process.env.HAPPY_DAEMON_HTTP_T..."
- Download Execute Delete Pattern in dist/index-BEoqDM_G.mjs: "spawn';
import path, { resolve, join, isAbsolute } from 'node:path';
import { cr..."
- Reconstructed Obfuscated URL in dist/index-BEoqDM_G.mjs: "https://auth.openai.com/oauth/token"
- Environment Variable Exfiltration in dist/index-DkcHmxcp.cjs: "process.env.HAPPY_DAEMON_HTTP_TIMEOUT ? parseInt(process.env.HAPPY_DAEMON_HTTP_T..."
- Reconstructed Obfuscated URL in dist/index-DkcHmxcp.cjs: "https://auth.openai.com/oauth/token"
IOCs:
- ipv4: 1.0.6.3
- ipv6: e::, 5::, d::, 7::, 9:: (+6 more)
- urls: https://api.cluster-fluster.com`, https://app.happy.engineering`, http://127.0.0.1:PORT, https://claude.ai/code, https://happy.engineering (+16 more)
- domains: 681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com, happy-api.ask-ggk.com, 6.pl, 5.fO, 48.si (+6 more)
- emails: yesreply@happy.engineering, keys@app.happy.engineering, N@W3K.xf
- payloadFileHash: 5386e73bdc5a6f49061ed5cf89cda4c2088cc57aff5e822c0e6dccc9fee6e536
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ggk-happy | 1.1.8 (affected) | — |
Aliases
Browse GCVE Records
73,834 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.