VDB
GCVE-110-OSM-2026-6576
GCVE-110-OSM-2026-6576
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, install-time execution.
ENTRY
dist/index.js (main: index.js)
- Install Hook Executes Local JS File in package.json: ""postinstall": "mv ./node_modules/fetch-page-assets/index.ts ./node_modules/fetc..."
- Postinstall Script in dist/package.json: ""postinstall": "mv ./node_modules/fetch-page-assets/index.ts ./node_modules/fetc..."
DESTINATION
- custom-c2: https://api.snapapi.pics/v1/screenshot (primary, plaintext) in index.js
- custom-c2: https://www.html-to-gutenberg.io/ (plaintext) in index.js
- custom-c2: api.snapapi.pics (plaintext) in index.js
EXFIL
- Environment Variable Exfiltration in scripts/sync-from-npm.mjs: "process.env.NPM_PACKAGE_NAME || readPackageName(); const request"
- Git Configuration Access in .github/workflows/sync-npm.yml: "git config user.name"
- Dynamic C2 Endpoint Construction in coverage/lcov-report/prettify.js: "function k(Z){var ad=0;var S=false;var ac=false;for(var V=0,U=Z.length;V<U;++V){..."
- HTTP Data Exfiltration in index.js: "fetchJsPromises); js += scripts.map((script) => script.content).join('\n'); let ..."
- HTTP Data Exfiltration in scripts/patch-fetch-page-assets.mjs: "process.cwd(); const sourcePath = path.join(projectRoot, "vendor", "fetch-page-a..."
ADDITIONAL FINDINGS
- Dynamic Code Execution in index.js: "exec(html)"
PAYLOAD FILES
scripts/sync-from-npm.mjs (+ index.js, .github/workflows/sync-npm.yml)
INDICATORS (IOCs)
- urls: http://site.com/path, http://site.com, http://site.com/a, http://site.com/b, https://www.paypal.com/donate/?hosted_button_id=XA5LN4XR39PMQ (+3 more)
- domains: r2.cloudflarestorage.com, cdn.tailwindcss.com, site.com, www.paypal.com, diogoangelim.github.io
- sha256Hashes: bae4459a7abdd80deabf6e5969a19b72f07785f8086021d8218f28306d59513c, b484a324ecec4d0954b465fe26602dab930b50eb5acf828e27d34f1eec64cb87
- payloadFileHash: ec55036a4d540c239b96ef0fe3ef0d10a691d07e377ad96944fa82f37959a2b2
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | html-to-gutenberg | 4.2.10 (affected) | — |
Aliases
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.