VDB

GCVE-110-OSM-2026-5942

GCVE-110-OSM-2026-5942
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 15, 2026
The publisher 'array-util' already has a confirmed critical-severity malicious package (bubblesearch, OSM threat d85616a2-5b57-4ff1-8d44-204c8078ba4c), giving a publisherMaliciousRatio of 0.5 — this is an attacker-controlled account dropping successive malicious packages. The entrypoint index.js is entirely obfuscated using the RC4+base64 rotating string-array pattern produced by javascript-obfuscator at maximum protection settings; this is not minification, it is deliberate concealment. No legitimate array-utility library obfuscates 100% of its source — the obfuscation exists solely to hide payload behaviour (likely C2 fetch or credential/environment exfiltration matching the pattern seen in bubblesearch). The package metadata is a classic throwaway shape: no description beyond 'Install:', no repository, single version, zero downloads, created and published within the same second. Combined with publisher history, the obfuscated loader pattern is consistent with the same install-time exfiltration or remote-code-execution campaign as bubblesearch. ENTRY index.js (main: index.js) ADDITIONAL FINDINGS - Publisher Has Other Malicious Packages

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@array-util/subsearchall (affected)

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›