VDB

GCVE-VVD-OSM-2026-837

GCVE-VVD-OSM-2026-837
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published March 27, 2026
This package is a malicious typo squatted attack that attempts to exfiltrate Oath data This attack uses a time-based trigger mechanism that activates only on the 15th of each month, creating a delay between installation and credential theft that helps evade immediate detection, complicates attribution by making it harder to trace the source of the leak, and ensures persistent access to potentially updated credentials through monthly execution.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownio.github.leetcrunch:scribejava-coreall (affected)

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›