VDB
GCVE-110-OSM-2026-71
GCVE-110-OSM-2026-71
Advisory PublishedCVSS 5.4/10
The publisher 'quebeccoise' has a confirmed malicious package (mf-system, severity: critical) already reported in OSM, giving a publisherMaliciousRatio of 0.25 across only 4 checked packages — a significant red flag. This package (@node-mf/tools) was created and published within the same session as several other packages by the same author (@node-mf/utils, node-os-mf, mf-system), suggesting a coordinated campaign rather than organic development. The package has zero meaningful metadata (no description, no repository, no keywords) and only a single version, consistent with a throwaway burner package. No code-level findings are available to confirm active malicious behavior in this specific package, but the publisher context and package cluster pattern are consistent with a multi-package supply chain attack campaign.
ADDITIONAL FINDINGS
- Brand New Package
- Publisher Has Other Malicious Packages
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | milla-migration | * (affected) | — |
| unknown | puzzle-render-kit | all (affected), all (affected), * (affected), * (affected), all (affected), * (affected) | — |
| unknown | nflx-release | all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected) | — |
| unknown | @node-mf/tools | all (affected) | — |
References
Malicious npm package: nflx-release
advisory
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.