VDB
GCVE-110-OSM-2026-5872
GCVE-110-OSM-2026-5872
Advisory PublishedCVSS 5.4/10
The author of this package describes it as a "security placeholder" and appears to be a misguided way of marking former malicious packages so they don't get used again. This package is one of several dozen packages published by the author. Marking these as low severity.
Entrypoint: index.js (main: index.js)
Key findings:
- Publisher Has Other Malicious Packages
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | npm-install-github-action | all (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.