VDB
GCVE-110-OSM-2025-224
GCVE-110-OSM-2025-224
Advisory PublishedCVSS 8.8/10
Repository compromised by the PolinRider DPRK threat actor (Lazarus, Contagious Interview cluster). The propagation script artifact (temp_auto_push.bat with LAST_COMMIT_DATE/LAST_COMMIT_TIME variables and force-push) was found at temp_hybrid_push.bat. This Windows batch file is dropped by the malware to amend git history while preserving original commit timestamps, then force-push to GitHub bypassing pre-commit hooks. Even if the obfuscated JS payload has been cleaned up, this file is direct evidence of past compromise.
Propagation script artifact found in: temp_hybrid_push.bat
Markers: LAST_COMMIT_DATE
File contents (excerpt): rewrites the most recent git commit while preserving the original timestamp, sets local git user.name/email to match original commit, then 'git push -uf origin <branch> --no-verify' to overwrite remote history.
Detection pivot: filename or content match for LAST_COMMIT_DATE/LAST_COMMIT_TIME inside a .bat file.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | * (affected) | — |
References
Malicious package:
advisory
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.