VDB

GCVE-110-OSM-2026-1201

GCVE-110-OSM-2026-1201
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
On require(), a detached child process executes lib/caller.js which fetches and runs arbitrary Node.js from https://jsonkeeper.com/b/BADC6 (not yet in VT — first discovery) via new Function.constructor('require', payload)(require). The campaign operator's stage-2 payload was decoded (same operator u_k=301, t=3; npoint.io C2 variant; SHA256 of extracted JS: fdb582f16475cb79bebd0dffc48d610430cae2e39e9a3e2abd373b3413691838) and is a cross-platform RAT and infostealer: steals browser credentials and crypto wallet data from 13 Chromium-based browsers, exfiltrates .env files and the full home directory to http://144.172.110.132:8086/upload (Vultr VPS), and establishes a socket.io reverse shell at ws://144.172.110.132:8087 with clipboard monitoring. Sibling trackora-chain@2.4.5 carries an identical loader. lib/caller.js IIFE base64-decodes https://jsonkeeper.com/b/BADC6, GETs response.data.cookie with x-secret-key:_, executes via new Function.constructor('require', s)(require). BADC6 bucket: not in VT — first discovery. The stage-2 payload from this bucket was not independently decoded; the campaign operator's npoint.io payload (identical loader pattern, same response.data.cookie field, operator u_k=301 t=3) was decoded via synchrony. Hash correction: 00a32991... was SHA256 of the raw JSON HTTP response wrapper; correct extracted-JS hash is fdb582f1... — not in VT. Payload behavior: (1) ldbScript — browser credential stealer targeting 13 Chromium-based browsers, 40 crypto wallet extensions (MetaMask, Phantom, etc.), macOS login.keychain-db; uploads to http://144.172.110.132:8086/upload. (2) autoUploadScript — full filesystem crawler targeting .env* files; uploads ≤10MB files. (3) socketScript — socket.io RAT at ws://144.172.110.132:8087 with remote shell and 1-second clipboard monitoring. C2: Vultr VPS, hostname gifted-rhodes.144-172-110-132.plesk.page, 0/94 VT detections — fresh infrastructure. Operator: u_k=301, t=3, HMAC SuperStr0ngSecret@)@^.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntrackora-node2.4.5 (affected)

References

vendor

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›