VDB

GCVE-110-OSM-2026-70

GCVE-110-OSM-2026-70
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published June 7, 2026
The publisher 'quebeccoise' has already had a package (mf-system) flagged as critical malicious in OSM, representing a 25% malicious ratio across their 4 checked packages. This package was created and published within hours, has zero meaningful metadata (no description, no repository, no keywords), and fits the classic burner/throwaway shape used by threat actors spinning up additional delivery vectors. While no code-level findings were triggered (no IOCs, no entrypoint resolved), the combination of a confirmed malicious publisher, brand-new package with minimal metadata, and the broader cluster of related packages (@node-mf/tools, @node-mf/utils, node-os-mf) warrants treating this as part of an active campaign pending code inspection. ADDITIONAL FINDINGS - Brand New Package - Publisher Has Other Malicious Packages

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownsd-basket-highlightall (affected), all (affected), all (affected), all (affected), all (affected), * (affected)
unknowncarrie-whiteall (affected)
unknownpulse-rsvp-card-entityall (affected)
unknownwn-idv-persona-clientall (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected)

Browse GCVE Records

72,580 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›