VDB

GCVE-110-OSM-2025-258

GCVE-110-OSM-2025-258
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published September 30, 2025
Repository compromised by the PolinRider DPRK threat actor (Lazarus, Contagious Interview cluster). The propagation script artifact (temp_auto_push.bat with LAST_COMMIT_DATE/LAST_COMMIT_TIME variables and force-push) was found at temp_hybrid_push.bat. This Windows batch file is dropped by the malware to amend git history while preserving original commit timestamps, then force-push to GitHub bypassing pre-commit hooks. Even if the obfuscated JS payload has been cleaned up, this file is direct evidence of past compromise. Propagation script artifact found in: temp_hybrid_push.bat Markers: LAST_COMMIT_DATE File contents (excerpt): rewrites the most recent git commit while preserving the original timestamp, sets local git user.name/email to match original commit, then 'git push -uf origin <branch> --no-verify' to overwrite remote history. Detection pivot: filename or content match for LAST_COMMIT_DATE/LAST_COMMIT_TIME inside a .bat file.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected)

References

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›