VDB
GCVE-110-OSM-2026-5896
GCVE-110-OSM-2026-5896
Advisory PublishedCVSS 9.6/10
This package is a destructive sabotage tool targeting Python environments. The bin/cli.js entrypoint (registered as 'env-base64-json') executes three adversarial operations on invocation: (1) runs `pip freeze | xargs pip uninstall -y` to silently uninstall all Python packages on the system, (2) recursively walks the entire filesystem from '/' renaming every `.py` file to `.py-hacked` — a wiper/ransomware-style file corruption pattern — and (3) enumerates all running Python processes via `ps aux | grep python` and kills each one with `kill -9`. A separate index.js collects `process.env` serialized as base64, consistent with credential harvesting. The publisher ('binizik', mail.ru email, 8 versions published within ~90 minutes) has no prior reputation and the package name 'super-test-json' is generic cover. The Cyrillic comments confirm intentional authorship of the destructive logic.
ENTRY
bin/cli.js (bin: ./bin/cli.js)
- Bin Field Command Injection in package.json: ""bin": { "env-base64-json":"
EXFIL
- Environment Variable Exfiltration in index.js: "JSON.stringify(process.env)"
- Data Encoding for Exfiltration in index.js: "Buffer.from(envJson).toString('base64')"
ADDITIONAL FINDINGS
- Shell Command Execution in bin/cli.js: "require('child_process')"
- Rapid Version Publishing
PAYLOAD FILES
index.js
INDICATORS (IOCs)
- payloadFileHash: 7e5b6f9dbab38a67688d63a1c7a73eaeae35da57eb4ce472735072a9689e2a11
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | super-test-json | all (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.