VDB
GCVE-110-OSM-2026-5813
GCVE-110-OSM-2026-5813
Advisory PublishedCVSS 9.6/10
The postinstall.js file unambiguously executes `whoami` via child_process.exec on install and immediately POSTs the result as JSON to a hardcoded webhook.site URL (https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7). This is a classic initial-access reconnaissance payload — the attacker model is system fingerprinting/victim enumeration triggered silently at install time. The package is published by a brand-new account (sheratan_test, 0 prior packages, qq.com email) with no repository, no homepage, and a misleading description ('A simple date formatting utility'). All evidence is directly readable in the entrypoint file content; no ambiguity exists.
Entrypoint: postinstall.js (install-hook: node postinstall.js)
Payload: postinstall.js
Key findings:
- OAST/Interactsh Exfiltration in postinstall.js: "webhook.site"
- Install Hook Executes Local JS File in package.json: ""postinstall": "node postinstall.js""
- Shell Command Execution in postinstall.js: "require("child_process")"
IOCs:
- webhookServices: https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7
- payloadFileHash: 3b000e0e744ef8a80f1d503b690be975df0e2e6b75f6951cec18d57862e425ce
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | sheratan_haha | all (affected) | — |
Aliases
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.