VDB

GCVE-110-OSM-2026-6923

GCVE-110-OSM-2026-6923
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 29, 2026
Malicious package detected. Behaviors: data exfiltration, code execution. ENTRY index.js (main: index.js) EXFIL - HTTP Data Exfiltration in lib/store.js: "process.cwd(); const url = await resolveUrl({ url: options.url, projectRoot }); ..." ADDITIONAL FINDINGS - Download Execute Delete Pattern in lib/store.js: "exec(command, (error) => { fs.unlink" - Shell Command Execution in lib/store.js: "require('child_process')" - Brand New Package PAYLOAD FILES lib/store.js INDICATORS (IOCs) - urls: https://www.rfc-editor.org/rfc/rfc9562 - payloadFileHash: 18f4b1801146529d0b42b0166d758a637773f3e98c3e5669f5686b8a8cb827d4

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowndate-uuidall (affected)

References

advisory
vendor

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›