VDB

GCVE-110-OSM-2026-5923

GCVE-110-OSM-2026-5923
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
A URL to `https://apps.usaa.com/enterprise/employee-directory?emplNum=Y3953` is embedded inside what purports to be a pako compression wrapper — there is no legitimate reason for a zlib/deflate library to reference a USAA financial-institution employee directory endpoint with a hardcoded employee number. The legitimate nodeca/pako source does not contain this URL, confirming the files were tampered with. Combined with `btoa()` usage in both `pako.js` and `pretty-pako.js` (consistent with encoding collected data before transmission to this endpoint), the attacker model is clear: data is base64-encoded and exfiltrated to the USAA internal URL, likely as a covert callback or credential/env capture. The publisher `oddjobhat` already has a confirmed high-severity malicious package (`javaxscript`) in OSM, establishing a pattern of supply-chain attacks. The 282KB file size (over the deobfuscation cap) means the exfil call is buried deep in the file and was not surfaced in the truncated content, consistent with intentional evasion. ENTRY pretty-pako.js (main: pretty-pako.js) DESTINATION - custom-c2: https://apps.usaa.com/enterprise/employee-directory?emplNum=Y3953 (primary, plaintext) in pako.js - custom-c2: zlib.net (plaintext) in pako.js EXFIL - Data Encoding for Exfiltration in pako.js: "btoa(" - Data Encoding for Exfiltration in pretty-pako.js: "btoa(" ADDITIONAL FINDINGS - Publisher Has Other Malicious Packages PAYLOAD FILES pako.js (+ pretty-pako.js) INDICATORS (IOCs) - payloadFileHash: 61ec151710e5d982666995b04b5bcd5498200135bc3d2376d1cd7873146256cf

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpretty-pakoall (affected)

References

vendor

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›