VDB

GCVE-110-OSM-2026-5944

GCVE-110-OSM-2026-5944
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package implements a classic dropper pattern: a postinstall hook executes `bin/setup.js`, which silently launches a bundled Windows executable (`assets/setup-helper.exe`) as a detached, hidden process (`windowsHide: true`, `stdio: 'ignore'`, `child.unref()`) that survives the parent process — the canonical technique for launching a background payload on victim install. No legitimate string-utility library needs to ship and silently execute a Windows binary at install time. The publisher 'testuser1234567' created their account and published all 10 packages within minutes on 2025-08-26, all with nearly identical 'string manipulation utility' descriptions and similar names, indicating a coordinated package-spray campaign likely targeting typosquatting victims. The static score of 25 substantially underweights the risk because it did not account for the bundled binary; the actual attacker model is: victim installs any of the 10 spray packages, the postinstall hook drops and executes setup-helper.exe silently in the background, enabling arbitrary code execution with no visible output or process window. ENTRY bin/setup.js (install-hook: node bin/setup.js) - Install Hook Executes Local JS File in package.json ADDITIONAL FINDINGS - Stealth Background Process Spawning in bin/setup.js: "spawn(exePathWin, [], { detached: true, stdio: 'ignore', windowsHide: true }" - Silent Process Execution in bin/setup.js: "stdio: 'ignore'" - Detached Child Process Payload in bin/setup.js: "spawn(exePathWin, [], { detached: true" PAYLOAD FILES bin/setup.js INDICATORS (IOCs) - urls: https://www.typescriptlang.org/ - domains: www.typescriptlang.org - payloadFileHash: f9fc893c007f708e0186bbd92b7363cd8bf5031c018edea182574bbf4dfa052d

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstrmagic-kitall (affected)

References

vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›