VDB

GCVE-110-OSM-2026-6576

GCVE-110-OSM-2026-6576
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 24, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, install-time execution. ENTRY dist/index.js (main: index.js) - Install Hook Executes Local JS File in package.json: ""postinstall": "mv ./node_modules/fetch-page-assets/index.ts ./node_modules/fetc..." - Postinstall Script in dist/package.json: ""postinstall": "mv ./node_modules/fetch-page-assets/index.ts ./node_modules/fetc..." DESTINATION - custom-c2: https://api.snapapi.pics/v1/screenshot (primary, plaintext) in index.js - custom-c2: https://www.html-to-gutenberg.io/ (plaintext) in index.js - custom-c2: api.snapapi.pics (plaintext) in index.js EXFIL - Environment Variable Exfiltration in scripts/sync-from-npm.mjs: "process.env.NPM_PACKAGE_NAME || readPackageName(); const request" - Git Configuration Access in .github/workflows/sync-npm.yml: "git config user.name" - Dynamic C2 Endpoint Construction in coverage/lcov-report/prettify.js: "function k(Z){var ad=0;var S=false;var ac=false;for(var V=0,U=Z.length;V<U;++V){..." - HTTP Data Exfiltration in index.js: "fetchJsPromises); js += scripts.map((script) => script.content).join('\n'); let ..." - HTTP Data Exfiltration in scripts/patch-fetch-page-assets.mjs: "process.cwd(); const sourcePath = path.join(projectRoot, "vendor", "fetch-page-a..." ADDITIONAL FINDINGS - Dynamic Code Execution in index.js: "exec(html)" PAYLOAD FILES scripts/sync-from-npm.mjs (+ index.js, .github/workflows/sync-npm.yml) INDICATORS (IOCs) - urls: http://site.com/path, http://site.com, http://site.com/a, http://site.com/b, https://www.paypal.com/donate/?hosted_button_id=XA5LN4XR39PMQ (+3 more) - domains: r2.cloudflarestorage.com, cdn.tailwindcss.com, site.com, www.paypal.com, diogoangelim.github.io - sha256Hashes: bae4459a7abdd80deabf6e5969a19b72f07785f8086021d8218f28306d59513c, b484a324ecec4d0954b465fe26602dab930b50eb5acf828e27d34f1eec64cb87 - payloadFileHash: ec55036a4d540c239b96ef0fe3ef0d10a691d07e377ad96944fa82f37959a2b2

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownhtml-to-gutenberg4.2.10 (affected)

References

advisory
vendor

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›