VDB

GCVE-110-OSM-2026-79

GCVE-110-OSM-2026-79
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 6, 2026
The publisher account 'guilderguzman' is only 4 days old and has published five packages in rapid succession, all with SQLite or cloud-adjacent branding — a pattern consistent with a typosquat or dependency-confusion spray campaign. The decoded payload cannot be inspected without executing the RC4 decryption, but the totality of new account, clustered package spray, and deliberate RC4+base64+string-rotation obfuscation in a purported utility library is unambiguous adversarial intent. Entrypoint: index.js (main: index.js) Key findings: - Very New NPM Publisher Account The index.js entrypoint contains a sophisticated multi-layer obfuscation stack: a rotating string-array, a custom base64 decoder, and a full RC4 stream cipher implementation (the key-scheduling and PRNG loop in function `k`) used to decrypt string literals at runtime. No legitimate SQLite toolkit has any reason to encrypt its own string constants with RC4 and then decode them at load time — this is a classic attacker technique to hide IOCs (webhook URLs, exfil endpoints, shell commands) from static scanners, which explains why the static score came back low despite the payload being adversarial.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncit-playwright-testsall (affected)
unknown@sqlite-node/createsqlall (affected)
unknownmonorepo-copall (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected)
unknownpulse-shop-sectionall (affected), all (affected), all (affected), all (affected), * (affected), * (affected)
unknown@universeorg/dotenvall (affected)

Browse GCVE Records

72,148 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›