VDB
GCVE-110-OSM-2026-70
GCVE-110-OSM-2026-70
Advisory PublishedCVSS 5.4/10
The publisher 'quebeccoise' has already had a package (mf-system) flagged as critical malicious in OSM, representing a 25% malicious ratio across their 4 checked packages. This package was created and published within hours, has zero meaningful metadata (no description, no repository, no keywords), and fits the classic burner/throwaway shape used by threat actors spinning up additional delivery vectors. While no code-level findings were triggered (no IOCs, no entrypoint resolved), the combination of a confirmed malicious publisher, brand-new package with minimal metadata, and the broader cluster of related packages (@node-mf/tools, @node-mf/utils, node-os-mf) warrants treating this as part of an active campaign pending code inspection.
ADDITIONAL FINDINGS
- Brand New Package
- Publisher Has Other Malicious Packages
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | sd-basket-highlight | all (affected), all (affected), all (affected), all (affected), all (affected), * (affected) | — |
| unknown | carrie-white | all (affected) | — |
| unknown | pulse-rsvp-card-entity | all (affected) | — |
| unknown | wn-idv-persona-client | all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected) | — |
References
Malicious npm package: carrie-white
advisory
Browse GCVE Records
72,580 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.