VDB
GCVE-110-OSM-2026-5884
GCVE-110-OSM-2026-5884
Advisory PublishedCVSS 9.6/10
The publisher 'meowmeow1222' has a publisherMaliciousRatio of 1.0 — their only other known package (meowmeow11001) is already confirmed malicious at critical severity in OSM. This package follows the identical naming pattern and was published in the same session (same timestamp). The postinstall script executes an inline Python3 one-liner via `python3 -c`, and the presence of `urllib.request.urlopen(` in that context strongly suggests the install hook fetches and executes a remote payload — the canonical attacker model for this campaign. Minimal metadata (no description, no repo, no keywords) and a brand-new account with only two packages are consistent with a throwaway delivery account.
Key findings:
- Publisher Has Other Malicious Packages
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | meowmeow111 | all (affected) | — |
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.