VDB

GCVE-110-OSM-2026-71

GCVE-110-OSM-2026-71
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published June 7, 2026
The publisher 'quebeccoise' has a confirmed malicious package (mf-system, severity: critical) already reported in OSM, giving a publisherMaliciousRatio of 0.25 across only 4 checked packages — a significant red flag. This package (@node-mf/tools) was created and published within the same session as several other packages by the same author (@node-mf/utils, node-os-mf, mf-system), suggesting a coordinated campaign rather than organic development. The package has zero meaningful metadata (no description, no repository, no keywords) and only a single version, consistent with a throwaway burner package. No code-level findings are available to confirm active malicious behavior in this specific package, but the publisher context and package cluster pattern are consistent with a multi-package supply chain attack campaign. ADDITIONAL FINDINGS - Brand New Package - Publisher Has Other Malicious Packages

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownmilla-migration* (affected)
unknownpuzzle-render-kitall (affected), all (affected), * (affected), * (affected), all (affected), * (affected)
unknownnflx-releaseall (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected)
unknown@node-mf/toolsall (affected)

References

advisory
vendor
advisory
vendor
advisory
vendor
vendor

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›