VDB
GCVE-110-OSM-2026-734
GCVE-110-OSM-2026-734
Advisory PublishedCVSS 8.8/10
Typosquat of legitimate finch bioinformatics tool that acts as a malware loader, secretly depending on sha-rust credential stealer which automatically updates to latest malicious version via unpinned dependency.
Appears as legitimate genomic MinHashing tool with nearly identical functionality to finch v0.6.2, but includes single malicious line (sha_rust::from_str()) in src/filtering.rs that triggers credential stealer during sketch serialization. Uses unpinned dependency 'sha-rust = "0.1"' to auto-deliver latest malware variant to all victims.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | finch-rust | all (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.