VDB

GCVE-110-OSM-2026-5884

GCVE-110-OSM-2026-5884
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
The publisher 'meowmeow1222' has a publisherMaliciousRatio of 1.0 — their only other known package (meowmeow11001) is already confirmed malicious at critical severity in OSM. This package follows the identical naming pattern and was published in the same session (same timestamp). The postinstall script executes an inline Python3 one-liner via `python3 -c`, and the presence of `urllib.request.urlopen(` in that context strongly suggests the install hook fetches and executes a remote payload — the canonical attacker model for this campaign. Minimal metadata (no description, no repo, no keywords) and a brand-new account with only two packages are consistent with a throwaway delivery account. Key findings: - Publisher Has Other Malicious Packages

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownmeowmeow111all (affected)

References

vendor

Browse GCVE Records

73,866 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›