VDB

GCVE-110-OSM-2026-6516

GCVE-110-OSM-2026-6516
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 22, 2026
The publisher 'polyx' has a malicious ratio of 0.67 (6 of 9 checked packages confirmed malicious in OSM), including critical-severity packages eslint-helper-1, new-helper, and new-ts-helper. Critically, this package directly depends on 'new-helper', which is itself flagged as malicious in OSM — meaning the malicious payload is likely delivered transitively through that dependency rather than embedded in the big.js source code clone. The package masquerades as the legitimate big.js library (same description, author name, version 5.8.0, GitHub repository URL) — a classic typosquatting/brandjacking attack pattern. The 4-day-old burner account with 10 packages showing near-duplicate names is a hallmark of a malicious campaign using a throwaway publisher identity. The entrypoint file appears to be a clean copy of big.js used as camouflage, but the malicious dependency 'new-helper' provides the actual attack vector. ENTRY big.mjs (main: big.mjs) ADDITIONAL FINDINGS - Publisher Has Other Malicious Packages - Malicious Dependency Detected (OSM) in package.json - Very New NPM Publisher Account - Publisher Shows Burner-Account Pattern - Malicious Dependency Detected in package.json INDICATORS (IOCs) - urls: http://mikemcl.github.io/big.js/, https://deno.land/, https://opencollective.com/bigjs, https://www.coinbase.com/ - domains: mikemcl.github.io, www.coinbase.com, deno.land - emails: start@yc.length, adding@yc.length

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnew-ecro-helper5.8.0 (affected)

References

vendor

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›