VDB

GCVE-110-OSM-2026-75

GCVE-110-OSM-2026-75
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 6, 2026
Malicious package detected. Behaviors: obfuscated code. Entrypoint: index.js (main: index.js) Payload: index.js Key findings: - IOCs Found in Deobfuscated Code in index.js - Obfuscation: function to array replacements in index.js - Very New NPM Publisher Account - Publisher Has Other Malicious Packages - Malicious Dependency Detected (OSM) in package.json IOCs: - ipv4: 13.3.3.7 - urls: https://feross.org - domains: jongleberry.com, somethingdoug.com, feross.org - emails: me@jongleberry.com, doug@somethingdoug.com - _domainCandidates: feross.org - payloadFileHash: 7bc2c525efe4593023441e42b9ea4dcee7f143f0bdc16e1efcea19896d789a0a

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnetflixidall (affected), all (affected), all (affected), all (affected), all (affected), all (affected)
unknown@sql-access/nodesqlall (affected)
unknownuipagainall (affected)
unknowntransform-export-extensions* (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected)

References

advisory
vendor
advisory
vendor
advisory
vendor
vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›