VDB

GCVE-110-OSM-2026-5301

GCVE-110-OSM-2026-5301
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 3, 2026
npm package `executable-stories-react` was compromised as part of the self-replicating 'binding.gyp' supply chain worm disclosed by StepSecurity (June 2026). Malicious versions were published using credentials stolen from the maintainer; installing them executes a multi-stage credential-harvesting payload via a malicious binding.gyp during `npm install`. Affected version(s): 0.1.7. Self-replicating npm supply chain worm ('binding.gyp' campaign, StepSecurity June 2026). === STAGE 0: Install trigger === Malicious file: binding.gyp (~100 bytes). Abuses shell command expansion via node-gyp during `npm install`, bypassing conventional package.json install-script detection. === STAGE 1: Obfuscated loader === Malicious file: index.js (4.5-4.9 MB). Decodes with a ROT-N Caesar cipher then AES-128-GCM (hardcoded key) to reveal the next stage. === STAGE 2: Runtime acquisition === Silently downloads the Bun JavaScript runtime v1.3.13 from GitHub to execute the payload outside the Node.js process and evade process-based detection. === STAGE 3: Credential harvesting & self-replication === Steals npm tokens, GitHub tokens/PATs, AWS access keys, GCP service account credentials, Azure secrets, HashiCorp Vault tokens, Kubernetes service tokens, RubyGems keys, and password-manager credentials. Secrets are encrypted with a hardcoded RSA public key and exfiltrated to attacker-controlled GitHub repositories as dangling commits. The worm then injects malicious steps into GitHub Actions workflows and republishes other packages owned by the compromised maintainer, propagating across the npm ecosystem.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownexecutable-stories-react0.1.7 (affected)

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›