VDB

GCVE-110-OSM-2026-5274

GCVE-110-OSM-2026-5274
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 3, 2026
This package follows a classic supply-chain concealment pattern: the entrypoint (dist/index.cjs) is a completely innocuous dummy logger with no suspicious code, but the package pulls in 'obfus-jsxy' — a dependency whose name signals obfuscation and is independently confirmed malicious in the OSM database. The publisher has a single package, no source repository, and a newly created account, fitting the throwaway-publisher model used in dependency poisoning campaigns. Entrypoint: dist/index.cjs (main: ./dist/index.cjs) Key findings: - Malicious Dependency Detected (OSM) in package.json: obfus-jsxy and ts-logger-pack - The domain 'fleet-trout-946.convex.site' (recovered as '2Ffleet-trout-946.convex.site') appears to be an attacker-controlled Convex backend endpoint likely used for exfiltration by the malicious dependency. IOCs: - domains: 2Ffleet-trout-946.convex.site

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownintqueryall (affected)
unknownsilly-logger0.1.7 (affected)

References

advisory
vendor
vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›