VDB

GCVE-110-OSM-2026-734

GCVE-110-OSM-2026-734
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published March 27, 2026
Typosquat of legitimate finch bioinformatics tool that acts as a malware loader, secretly depending on sha-rust credential stealer which automatically updates to latest malicious version via unpinned dependency. Appears as legitimate genomic MinHashing tool with nearly identical functionality to finch v0.6.2, but includes single malicious line (sha_rust::from_str()) in src/filtering.rs that triggers credential stealer during sketch serialization. Uses unpinned dependency 'sha-rust = "0.1"' to auto-deliver latest malware variant to all victims.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownfinch-rustall (affected)

References

vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›