VDB
GCVE-110-OSM-2026-5939
GCVE-110-OSM-2026-5939
Advisory PublishedCVSS 9.6/10
This is a dependency-confusion attack masquerading as a 'terminal snake game'. The preinstall hook unconditionally calls `initSystem()` from `utils.js` because `isDev` is hardcoded to `true`, making the snake-game banner dead code that exists only as camouflage. `utils.js` hides its payload behind hex-encoded strings that decode to three IP-lookup services (`api.ipify.org`, `api.myip.com`, `ifconfig.me/ip`) and a DNS-based OAST exfiltration endpoint (`701309e1.log.dnslog.qzz.io`), a classic canary-style callback used to confirm code execution on a victim's machine and leak the public IP. The inflated version sequence (0.9.9 → 9.9.9 → 9.9.10) published in rapid succession over seven days is textbook dependency-confusion version-bumping intended to outrank an internal package. The publisher uses a disposable-domain email (`gfde.site`) and has two other packages under the same account, a pattern consistent with an attacker operating multiple probes.
ENTRY
check-environment.js (install-hook: node check-environment.js)
- Install Hook Executes Local JS File in package.json
OBFUSCATION
- Decoded Hex String Content in utils.js (x6)
- recovered 3 urls, 4 domains from decoded/deobfuscated content
PAYLOAD FILES
utils.js
INDICATORS (IOCs)
- urls: https://api.ipify.org?format=json, https://api.myip.com, https://ifconfig.me/ip
- domains: api.ipify.org, api.myip.com, ifconfig.me, 701309e1.log.dnslog.qzz.io
- payloadFileHash: 67723c11c6e7befa84586af276353d741408bc970239b6cc91a30a3e70c73800
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | sftc-advance-components | 9.9.10 (affected) | — |
Browse GCVE Records
72,580 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.