VDB
GCVE-110-OSM-2026-79
GCVE-110-OSM-2026-79
Advisory PublishedCVSS 8.8/10
The publisher account 'guilderguzman' is only 4 days old and has published five packages in rapid succession, all with SQLite or cloud-adjacent branding — a pattern consistent with a typosquat or dependency-confusion spray campaign. The decoded payload cannot be inspected without executing the RC4 decryption, but the totality of new account, clustered package spray, and deliberate RC4+base64+string-rotation obfuscation in a purported utility library is unambiguous adversarial intent.
Entrypoint: index.js (main: index.js)
Key findings:
- Very New NPM Publisher Account
The index.js entrypoint contains a sophisticated multi-layer obfuscation stack: a rotating string-array, a custom base64 decoder, and a full RC4 stream cipher implementation (the key-scheduling and PRNG loop in function `k`) used to decrypt string literals at runtime. No legitimate SQLite toolkit has any reason to encrypt its own string constants with RC4 and then decode them at load time — this is a classic attacker technique to hide IOCs (webhook URLs, exfil endpoints, shell commands) from static scanners, which explains why the static score came back low despite the payload being adversarial.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cit-playwright-tests | all (affected) | — |
| unknown | @sqlite-node/createsql | all (affected) | — |
| unknown | monorepo-cop | all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected) | — |
| unknown | pulse-shop-section | all (affected), all (affected), all (affected), all (affected), * (affected), * (affected) | — |
| unknown | @universeorg/dotenv | all (affected) | — |
References
Malicious npm package: monorepo-cop
advisory
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.