VDB
GCVE-110-OSM-2026-6584
GCVE-110-OSM-2026-6584
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution.
ENTRY
preinstall.js (install-hook: node preinstall.js)
- Install Hook Executes Local JS File in package.json
- Postinstall Script in package.json
DESTINATION
- custom-c2: d8rqs6ri6i9md1fcfdpgirhdcr17idqdh.oast.fun (primary, decoded) in postinstall.js
EXFIL
- OAST/Interactsh Exfiltration in postinstall.js: ".oast.fun"
- DNS Lookup in postinstall.js: "dns.resolve("
- Suspicious Domain in postinstall.js: "oast.fun"
OBFUSCATION
- Decoded Base64 Content in preinstall.js (x10)
- Base64 Encoded Payload in preinstall.js: ""dHJ5IHsgY29uc3QgaW5mbyA9IEpTT04uc3RyaW5naWZ5KHsgaG9zdG5hbWU6IG9zLmhvc3RuYW1lKCk..."
- recovered 1 domains, 11 urls, 1 ips from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Base64 Decoded Eval in preinstall.js: "eval(Buffer.from("
- Shell Command Execution in preinstall.js: "require("child_process")"
PAYLOAD FILES
preinstall.js
INDICATORS (IOCs)
- urls: https://${OOB}/info?d=${encodeURIComponent(info, https://${OOB}/ip?d=${encodeURIComponent(ips.join(, https://${OOB}/env?d=${encodeURIComponent(envStr, https://${OOB}/npmrc?d=${encodeURIComponent(npmrc.trim(, http://169.254.169.254/latest/api/token (+6 more)
- ips: 169.254.169.254
- payloadFileHash: 39ae25d13298908a1878be76d11f578e23bed4a13b5934b8d2affb05b4b82b29
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | hunsterx-package | all (affected) | — |
Aliases
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.