VDB
GCVE-110-OSM-2026-5100
GCVE-110-OSM-2026-5100
Advisory PublishedCVSS 9.6/10
The package ships a UPX-packed binary disguised as `src/system/index.mjs` (~948 KB, well over any legitimate ES module) and executes it at install time via the `preinstall` hook (`"preinstall": "./src/system/index.mjs"`). The IOC `http://upx.sf.net` appears literally in the binary, confirming UPX packing — a common technique to deliver a compiled native payload inside an npm package. The remaining source files (`src/users/list.js` reading `/etc/passwd`, `src/network/ip.js` querying `ifconfig.me`, `src/users/current.js` calling `os.userInfo()`, `src/system/hostname.js` calling `os.hostname()`) provide the data-collection layer that feeds the packed payload. The attacker model is a supply-chain credential/recon implant: on `npm install`, the preinstall hook executes the packed binary, which harvests `/etc/passwd`, user identity, hostname, and external IP — classic initial-access reconnaissance. `hasSecurityHolding: true` with recovery confirms this package was previously yanked for malicious behavior and is being re-scanned.
Entrypoint: index.js (main: index.js)
Payload: src/users/list.js
Secondary files: src/network/hostname.js, src/system/hostname.js
Key findings:
- Sensitive File Access in src/users/list.js: "'/etc/passwd'"
- Shell Command Execution in src/network/hostname.js: "require('child_process')"
- Shell Command Execution in src/network/ip.js: "require('child_process')"
- Shell Command Execution in src/network/ping.js: "require('child_process')"
- Shell Command Execution in src/network/ports.js: "require('child_process')"
IOCs:
- ipv6: 0::, E::
- urls: https://D, http://upx.sf.net
- domains: upx.sf.net
- emails: appro@openssl.Ng, o@5.dzRNO
- payloadFileHash: 3f1f7296a2cf9db5b8abff4cbcf41ad09519053caf2980ef1d3eda6b873d8de8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | linux-utils | all (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.