VDB

GCVE-110-OSM-2026-5100

GCVE-110-OSM-2026-5100
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 31, 2026
The package ships a UPX-packed binary disguised as `src/system/index.mjs` (~948 KB, well over any legitimate ES module) and executes it at install time via the `preinstall` hook (`"preinstall": "./src/system/index.mjs"`). The IOC `http://upx.sf.net` appears literally in the binary, confirming UPX packing — a common technique to deliver a compiled native payload inside an npm package. The remaining source files (`src/users/list.js` reading `/etc/passwd`, `src/network/ip.js` querying `ifconfig.me`, `src/users/current.js` calling `os.userInfo()`, `src/system/hostname.js` calling `os.hostname()`) provide the data-collection layer that feeds the packed payload. The attacker model is a supply-chain credential/recon implant: on `npm install`, the preinstall hook executes the packed binary, which harvests `/etc/passwd`, user identity, hostname, and external IP — classic initial-access reconnaissance. `hasSecurityHolding: true` with recovery confirms this package was previously yanked for malicious behavior and is being re-scanned. Entrypoint: index.js (main: index.js) Payload: src/users/list.js Secondary files: src/network/hostname.js, src/system/hostname.js Key findings: - Sensitive File Access in src/users/list.js: "'/etc/passwd'" - Shell Command Execution in src/network/hostname.js: "require('child_process')" - Shell Command Execution in src/network/ip.js: "require('child_process')" - Shell Command Execution in src/network/ping.js: "require('child_process')" - Shell Command Execution in src/network/ports.js: "require('child_process')" IOCs: - ipv6: 0::, E:: - urls: https://D, http://upx.sf.net - domains: upx.sf.net - emails: appro@openssl.Ng, o@5.dzRNO - payloadFileHash: 3f1f7296a2cf9db5b8abff4cbcf41ad09519053caf2980ef1d3eda6b873d8de8

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownlinux-utilsall (affected)

References

vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›