VDB

GCVE-110-OSM-2026-5939

GCVE-110-OSM-2026-5939
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This is a dependency-confusion attack masquerading as a 'terminal snake game'. The preinstall hook unconditionally calls `initSystem()` from `utils.js` because `isDev` is hardcoded to `true`, making the snake-game banner dead code that exists only as camouflage. `utils.js` hides its payload behind hex-encoded strings that decode to three IP-lookup services (`api.ipify.org`, `api.myip.com`, `ifconfig.me/ip`) and a DNS-based OAST exfiltration endpoint (`701309e1.log.dnslog.qzz.io`), a classic canary-style callback used to confirm code execution on a victim's machine and leak the public IP. The inflated version sequence (0.9.9 → 9.9.9 → 9.9.10) published in rapid succession over seven days is textbook dependency-confusion version-bumping intended to outrank an internal package. The publisher uses a disposable-domain email (`gfde.site`) and has two other packages under the same account, a pattern consistent with an attacker operating multiple probes. ENTRY check-environment.js (install-hook: node check-environment.js) - Install Hook Executes Local JS File in package.json OBFUSCATION - Decoded Hex String Content in utils.js (x6) - recovered 3 urls, 4 domains from decoded/deobfuscated content PAYLOAD FILES utils.js INDICATORS (IOCs) - urls: https://api.ipify.org?format=json, https://api.myip.com, https://ifconfig.me/ip - domains: api.ipify.org, api.myip.com, ifconfig.me, 701309e1.log.dnslog.qzz.io - payloadFileHash: 67723c11c6e7befa84586af276353d741408bc970239b6cc91a30a3e70c73800

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownsftc-advance-components9.9.10 (affected)

Browse GCVE Records

72,580 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›