VDB

GCVE-110-OSM-2026-5878

GCVE-110-OSM-2026-5878
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
The IOC `http://attackers-server/tastytreats-1.0.0.tgz?yy=\`npm` is a textbook supply-chain dropper: a postinstall/install script fetches a remote tarball from an attacker-controlled server using shell interpolation, consistent with a remote code execution payload delivery model. The IOC is classified as C2 in the operational fields of package.json, confirming this is not incidental. Publisher 'mangalak' already has two confirmed malicious packages (generator-ml-container-creator at critical severity and opensearch-genai-observability-sdk-ts at medium severity), establishing a pattern of deliberate malicious publishing. The index.js entrypoint performs suspicious base64-fragment string concatenation (`lci5jb20vYWphe` + dynamic arg), suggesting obfuscated URL assembly. Combined, this represents the 'Contagious Interview'-style dropper pattern: attractive package name, install hook fetching a remote payload, no source repo, single version. ENTRY index.js (main: index.js) DESTINATION - urls: http://attackers-server/tastytreats-1.0.0.tgz?yy=`npm (c2, plaintext) ADDITIONAL FINDINGS - Publisher Has Other Malicious Packages

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncapi-param-builder-clientjsall (affected)

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›