VDB

GCVE-110-OSM-2026-7108

GCVE-110-OSM-2026-7108
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 1, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, install-time execution. ENTRY demo-clean.js (install-hook: node demo-clean.js) - Install Hook Executes Local JS File in package.json EXFIL - System Information Collection in demo-clean.js: "os.homedir()" ADDITIONAL FINDINGS - Download Execute Delete Pattern in demo-clean.js: "execSync("kcalc", { stdio: "ignore" }); } catch {} } } } catch {} } function rm(..." - Shell Command Execution in demo-clean.js: "require("child_process")" - Silent Process Execution in demo-clean.js: "stdio: "ignore"" - Very New NPM Publisher Account - Publisher Has Other Malicious Packages PAYLOAD FILES demo-clean.js INDICATORS (IOCs) - payloadFileHash: 13cb7636139b90c80d776dfc3c0f5e613a2dcf1e0655a6c2f5c3ac6517062e69

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntest-pkg-pnpmall (affected)

References

advisory
vendor

Browse GCVE Records

72,580 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›