VDB

GCVE-110-OSM-2026-69

GCVE-110-OSM-2026-69
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published June 7, 2026
The publisher 'quebeccoise' has a confirmed critical-severity malicious package ('mf-system', threat_id 3849a370-e7f9-40e5-82e2-3387e1748964) already reported in OSM, giving a malicious ratio of 0.25 across only 4 checked packages — a meaningful signal. This package shares a naming pattern with the publisher's other packages (@node-mf/tools, @node-mf/utils, mf-system) suggesting a coordinated campaign rather than an isolated incident. The package is brand new (created and published same day), has zero metadata (no description, no repository, no keywords), and is a single version — classic throwaway/burner shape consistent with a campaign that drops multiple packages. No code-level findings are available (no entrypoint resolved, no IOCs extracted), so the attacker model cannot be confirmed from static analysis alone, but publisher history and metadata pattern are sufficient to flag this for investigation. ADDITIONAL FINDINGS - Brand New Package - Publisher Has Other Malicious Packages

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownreact-tailwindcss-style* (affected), all (affected), all (affected), all (affected), all (affected), * (affected)
unknownpulse-scroll-triggered-list-items* (affected)
unknownnode-os-mfall (affected)
unknownwhatnot-web* (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected)

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›