VDB

GCVE-110-OSM-2026-5220

GCVE-110-OSM-2026-5220
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 2, 2026
Typosquatting attack. Similar to popular package: unknown. Behaviors: data exfiltration, code execution, obfuscated code. Entrypoint: lib/puppeteer/puppeteer-core.js (main: ./lib/puppeteer/puppeteer-core.js) Exfil: https://source.chromium.org/chromium/chromium/src/+/main:components/autofill/core/browser/field_types.cc (custom-c2, recovery: plaintext in lib/es5-iife/puppeteer-core-browser.d.ts) Payload: lib/es5-iife/puppeteer-core-browser.js Secondary files: lib/es5-iife/puppeteer-core-browser.d.ts, lib/types.d.ts Key findings: - Global Variable Shadowing in lib/es5-iife/puppeteer-core-browser.js: "const module = {" - Global Variable Shadowing in lib/puppeteer/common/ScriptInjector.js: "const module = {" - Corporate Environment Targeting in src/cdp/EmulationManager.ts: "tMostOnceForArguments async #emulateIdleState( client: CDPSession, idl..." - Global Variable Shadowing in src/common/ScriptInjector.ts: "const module = {" - Startup Persistence in lib/es5-iife/puppeteer-core-browser.d.ts: ".Profile" IOCs: - ipv4: 7.2.1.0 - urls: https://chromedevtools.github.io/devtools-protocol/, https://pptr.dev/webdriver-bidi, https://pptr.dev/docs, https://pptr.dev/api, https://pptr.dev/contributing (+45 more) - domains: chromedevtools.github.io, pptr.dev, developer.chrome.com, source.chromium.org, webbluetoothcg.github.io (+21 more) - payloadFileHash: d9738a593fe5cb3054993db7158a3dca453856dcd5fdbfcf1e7c53e13f4bf17f

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpuppeteer-core25.1.0 (affected)

References

vendor

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›