VDB
GCVE-110-OSM-2026-5878
GCVE-110-OSM-2026-5878
Advisory PublishedCVSS 9.6/10
The IOC `http://attackers-server/tastytreats-1.0.0.tgz?yy=\`npm` is a textbook supply-chain dropper: a postinstall/install script fetches a remote tarball from an attacker-controlled server using shell interpolation, consistent with a remote code execution payload delivery model. The IOC is classified as C2 in the operational fields of package.json, confirming this is not incidental. Publisher 'mangalak' already has two confirmed malicious packages (generator-ml-container-creator at critical severity and opensearch-genai-observability-sdk-ts at medium severity), establishing a pattern of deliberate malicious publishing. The index.js entrypoint performs suspicious base64-fragment string concatenation (`lci5jb20vYWphe` + dynamic arg), suggesting obfuscated URL assembly. Combined, this represents the 'Contagious Interview'-style dropper pattern: attractive package name, install hook fetching a remote payload, no source repo, single version.
ENTRY
index.js (main: index.js)
DESTINATION
- urls: http://attackers-server/tastytreats-1.0.0.tgz?yy=`npm (c2, plaintext)
ADDITIONAL FINDINGS
- Publisher Has Other Malicious Packages
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | capi-param-builder-clientjs | all (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.