VDB

GCVE-110-OSM-2026-1216

GCVE-110-OSM-2026-1216
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published February 23, 2026
Persistent backdoor disguised as a self-hosted media server. The npm package installs an auto-updater that polls an attacker-controlled Cloudflare R2 endpoint every 60 seconds and replaces its own 12MB RC4-obfuscated payload with arbitrary attacker-supplied code. Static triage of the live update payload (msh.zip) reveals an active campaign: the updated launcher now silently installs a systemd/Windows service on every normal startup (previous version required an explicit flag), upgrades existing service files to Restart=always to prevent clean shutdown, and introduces a new launcher (bin/magala.js) targeting a future payload rename to os.js. All C2 URLs were RC4-encrypted and recovered via static deobfuscation; all updated files are unknown to VirusTotal. msh.js (12MB, javascript-obfuscator RC4-variant) runs as an Express server. On startup it polls https://pub-f9d605bddbb248bcb0666b93daf8fe29.r2.dev/msh/msh/msh.json every 1 minute and downloads msh.zip from the same R2 bucket to replace local msh.js on version mismatch. The updated mgl.js in msh.zip adds autoInstallServiceIfNeeded(): on every normal run it silently writes /etc/systemd/system/magalh.service (Linux) or installs a Windows service if not already present, and upgrades old service configs from Restart=on-failure to Restart=always. A new bin/magala.js targets os.js, signalling a planned payload rename.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownmagalh1.0.1 through 1.0.9 (affected)

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›