VDB
GCVE-110-OSM-2024-1
GCVE-110-OSM-2024-1
Advisory PublishedCVSS 9.6/10
Brandjacking attack impersonating the legitimate XZ for Java compression library (org.tukaani:xz). Contains backdoor that listens on port 11337 for incoming connections and executes received data as arbitrary shell commands. Attacker published benign versions first to establish credibility before introducing malware in version 1.9. Follows the high-profile XZ Utils backdoor (CVE-2024-3094) discovery.
Backdoor initializes server socket on port 11337, listens for incoming connections, and executes any received data as a shell script. Uses obfuscated byte arrays for strings like /bin/sh and /tmp/evil.sh to evade static code analysis. After making /tmp/evil.sh executable, the attacker can run arbitrary commands with the privileges of the Java process. Comments in malicious code suggest AI-generated assistance (e.g., "Start listening to connections on port 11337", "Obfuscate string").
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| ReversingLabs | znowflake_client | all (affected), all (affected), all (affected), all (affected), * (affected) | — |
| ReversingLabs | zen-ruby-linter | all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), * (affected), all (affected), * (affected), * (affected) | — |
| unknown | xz-java | — | — |
| unknown | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), * (affected), all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), * (affected), * (affected), * (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected) | — |
Aliases
References
Malicious maven package: xz-java
advisory
Malicious package:
advisory
Malicious package:
advisory
Malicious package:
advisory
Malicious package:
advisory
Malicious package:
advisory
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.