VDB
GCVE-110-OSM-2026-5927
GCVE-110-OSM-2026-5927
Advisory PublishedCVSS 9.6/10
This is a dependency confusion attack package. The preinstall hook unconditionally executes `check-environment.js`, which calls `initSystem()` from `utils.js` (the `isDev = true` flag ensures the snake-game decoy banner is never shown and `initSystem()` always runs). `utils.js` contains hex-obfuscated strings that decode to three public IP-lookup services (`api.ipify.org`, `api.myip.com`, `ifconfig.me/ip`) for victim IP reconnaissance, plus a DNS logging callback domain `701309e1.log.dnslog.qzz.io` — a dnslog OAST endpoint used to exfiltrate data out-of-band via DNS. The inflated version scheme (0.0.1 through 9.9.10 published in two days) is a textbook dependency confusion technique designed to outrank internal packages. The publisher account is new (6 days old), uses a disposable-looking email domain (`gfde.site`), and has no source repository.
ENTRY
check-environment.js (install-hook: node check-environment.js)
- Install Hook Executes Local JS File in package.json
OBFUSCATION
- Decoded Hex String Content in utils.js (x6)
- recovered 3 urls, 4 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Rapid Version Publishing
PAYLOAD FILES
utils.js
INDICATORS (IOCs)
- urls: https://api.ipify.org?format=json, https://api.myip.com, https://ifconfig.me/ip
- domains: api.ipify.org, api.myip.com, ifconfig.me, 701309e1.log.dnslog.qzz.io
- payloadFileHash: 67723c11c6e7befa84586af276353d741408bc970239b6cc91a30a3e70c73800
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | paasprint-sdk | 9.9.10 (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.