VDB
GCVE-110-OSM-2026-1161
GCVE-110-OSM-2026-1161
Advisory PublishedCVSS 9.6/10
Malicious npm package published by account nrwise (nrwise@proton.me) as part of the axios supply chain compromise campaign. Part of the same C2 infrastructure (sfrclak.com) used in the compromised axios versions. Drops remote access trojan payloads.
=== PAYLOAD: RAT Dropper ===
C2 URL: http://sfrclak.com:8000/6202033
C2 IP: 142.11.206.73
Behavior: Contacts C2 server and delivers platform-specific second-stage RAT payloads:
- macOS: /Library/Caches/com.apple.act.mond
- Windows: %PROGRAMDATA%\wt.exe
- Linux: /tmp/ld.py
Published by npm account nrwise (nrwise@proton.me).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | plain-crypto-js | 4.2.1 (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.