VDB
GCVE-110-OSM-2026-5923
GCVE-110-OSM-2026-5923
Advisory PublishedCVSS 9.6/10
A URL to `https://apps.usaa.com/enterprise/employee-directory?emplNum=Y3953` is embedded inside what purports to be a pako compression wrapper — there is no legitimate reason for a zlib/deflate library to reference a USAA financial-institution employee directory endpoint with a hardcoded employee number. The legitimate nodeca/pako source does not contain this URL, confirming the files were tampered with. Combined with `btoa()` usage in both `pako.js` and `pretty-pako.js` (consistent with encoding collected data before transmission to this endpoint), the attacker model is clear: data is base64-encoded and exfiltrated to the USAA internal URL, likely as a covert callback or credential/env capture. The publisher `oddjobhat` already has a confirmed high-severity malicious package (`javaxscript`) in OSM, establishing a pattern of supply-chain attacks. The 282KB file size (over the deobfuscation cap) means the exfil call is buried deep in the file and was not surfaced in the truncated content, consistent with intentional evasion.
ENTRY
pretty-pako.js (main: pretty-pako.js)
DESTINATION
- custom-c2: https://apps.usaa.com/enterprise/employee-directory?emplNum=Y3953 (primary, plaintext) in pako.js
- custom-c2: zlib.net (plaintext) in pako.js
EXFIL
- Data Encoding for Exfiltration in pako.js: "btoa("
- Data Encoding for Exfiltration in pretty-pako.js: "btoa("
ADDITIONAL FINDINGS
- Publisher Has Other Malicious Packages
PAYLOAD FILES
pako.js (+ pretty-pako.js)
INDICATORS (IOCs)
- payloadFileHash: 61ec151710e5d982666995b04b5bcd5498200135bc3d2376d1cd7873146256cf
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | pretty-pako | all (affected) | — |
Browse GCVE Records
73,834 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.