VDB
GCVE-110-OSM-2026-1216
GCVE-110-OSM-2026-1216
Advisory PublishedCVSS 8.8/10
Persistent backdoor disguised as a self-hosted media server. The npm package installs an auto-updater that polls an attacker-controlled Cloudflare R2 endpoint every 60 seconds and replaces its own 12MB RC4-obfuscated payload with arbitrary attacker-supplied code. Static triage of the live update payload (msh.zip) reveals an active campaign: the updated launcher now silently installs a systemd/Windows service on every normal startup (previous version required an explicit flag), upgrades existing service files to Restart=always to prevent clean shutdown, and introduces a new launcher (bin/magala.js) targeting a future payload rename to os.js. All C2 URLs were RC4-encrypted and recovered via static deobfuscation; all updated files are unknown to VirusTotal.
msh.js (12MB, javascript-obfuscator RC4-variant) runs as an Express server. On startup it polls https://pub-f9d605bddbb248bcb0666b93daf8fe29.r2.dev/msh/msh/msh.json every 1 minute and downloads msh.zip from the same R2 bucket to replace local msh.js on version mismatch. The updated mgl.js in msh.zip adds autoInstallServiceIfNeeded(): on every normal run it silently writes /etc/systemd/system/magalh.service (Linux) or installs a Windows service if not already present, and upgrades old service configs from Restart=on-failure to Restart=always. A new bin/magala.js targets os.js, signalling a planned payload rename.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | magalh | 1.0.1 through 1.0.9 (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.