VDB

GCVE-110-OSM-2026-6714

GCVE-110-OSM-2026-6714
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 26, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. ENTRY dist/node-ponyfill.js (main: dist/node-ponyfill.js) DESTINATION - custom-c2: https://host (primary, deobfuscated) in dist/node-ponyfill.js - custom-c2: gh.ac (deobfuscated) in dist/node-ponyfill.js - custom-c2: gh.ae (deobfuscated) in dist/node-ponyfill.js - custom-c2: gh.am (deobfuscated) in dist/node-ponyfill.js - custom-c2: gh.aC (deobfuscated) in dist/node-ponyfill.js - custom-c2: gh.aE (deobfuscated) in dist/node-ponyfill.js - custom-c2: gh.aM (deobfuscated) in dist/node-ponyfill.js - custom-c2: gh.gl (deobfuscated) in dist/node-ponyfill.js (+43 more) EXFIL - Environment Variable Exfiltration in dist/node-ponyfill.js: "process.env && process.env.CROSS_FETCH_DEBUG) { process.stderr.write('[cross-fet..." OBFUSCATION - IOCs Found in Deobfuscated Code in dist/node-ponyfill.js - Obfuscation: augmented proxied array function replacements in dist/node-ponyfill.js - Obfuscation: obfuscator.io in dist/node-ponyfill.js - Obfuscation patterns: stringArrayAccess, controlFlowFlattening in dist/node-ponyfill.js - recovered 1 urls, 50 domains, 50 _domainCandidates from decoded/deobfuscated content ADDITIONAL FINDINGS - Very New NPM Publisher Account PAYLOAD FILES dist/node-ponyfill.js INDICATORS (IOCs) - urls: https://github.github.io/fetch/, https://jsfiddle.net/lquixada/3ypqgacp/, https://www.nytimes.com/, https://swagger.io/, http://vulcanjs.org (+2 more) - domains: github.github.io, jsfiddle.net, www.nytimes.com, swagger.io, vulcanjs.org (+1 more) - payloadFileHash: 62a7c6e9fcd26c6a108978a0039d466d0b5c0761093bf60efa4c96e4bd1b1e57

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@merceas/cross-fetch3.1.12 (affected)

References

advisory
vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›