VDB
GCVE-110-OSM-2026-5944
GCVE-110-OSM-2026-5944
Advisory PublishedCVSS 9.6/10
This package implements a classic dropper pattern: a postinstall hook executes `bin/setup.js`, which silently launches a bundled Windows executable (`assets/setup-helper.exe`) as a detached, hidden process (`windowsHide: true`, `stdio: 'ignore'`, `child.unref()`) that survives the parent process — the canonical technique for launching a background payload on victim install. No legitimate string-utility library needs to ship and silently execute a Windows binary at install time. The publisher 'testuser1234567' created their account and published all 10 packages within minutes on 2025-08-26, all with nearly identical 'string manipulation utility' descriptions and similar names, indicating a coordinated package-spray campaign likely targeting typosquatting victims. The static score of 25 substantially underweights the risk because it did not account for the bundled binary; the actual attacker model is: victim installs any of the 10 spray packages, the postinstall hook drops and executes setup-helper.exe silently in the background, enabling arbitrary code execution with no visible output or process window.
ENTRY
bin/setup.js (install-hook: node bin/setup.js)
- Install Hook Executes Local JS File in package.json
ADDITIONAL FINDINGS
- Stealth Background Process Spawning in bin/setup.js: "spawn(exePathWin, [], { detached: true, stdio: 'ignore', windowsHide: true }"
- Silent Process Execution in bin/setup.js: "stdio: 'ignore'"
- Detached Child Process Payload in bin/setup.js: "spawn(exePathWin, [], { detached: true"
PAYLOAD FILES
bin/setup.js
INDICATORS (IOCs)
- urls: https://www.typescriptlang.org/
- domains: www.typescriptlang.org
- payloadFileHash: f9fc893c007f708e0186bbd92b7363cd8bf5031c018edea182574bbf4dfa052d
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strmagic-kit | all (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.