VDB
GCVE-110-OSM-2026-69
GCVE-110-OSM-2026-69
Advisory PublishedCVSS 5.4/10
The publisher 'quebeccoise' has a confirmed critical-severity malicious package ('mf-system', threat_id 3849a370-e7f9-40e5-82e2-3387e1748964) already reported in OSM, giving a malicious ratio of 0.25 across only 4 checked packages — a meaningful signal. This package shares a naming pattern with the publisher's other packages (@node-mf/tools, @node-mf/utils, mf-system) suggesting a coordinated campaign rather than an isolated incident. The package is brand new (created and published same day), has zero metadata (no description, no repository, no keywords), and is a single version — classic throwaway/burner shape consistent with a campaign that drops multiple packages. No code-level findings are available (no entrypoint resolved, no IOCs extracted), so the attacker model cannot be confirmed from static analysis alone, but publisher history and metadata pattern are sufficient to flag this for investigation.
ADDITIONAL FINDINGS
- Brand New Package
- Publisher Has Other Malicious Packages
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | react-tailwindcss-style | * (affected), all (affected), all (affected), all (affected), all (affected), * (affected) | — |
| unknown | pulse-scroll-triggered-list-items | * (affected) | — |
| unknown | node-os-mf | all (affected) | — |
| unknown | whatnot-web | * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.