VDB

GCVE-110-OSM-2026-1219

GCVE-110-OSM-2026-1219
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
On require(), spawns a detached background process that fetches from http://server-check-genimi.vercel[.]app/defy/v3 with header bearrtoken:logo and executes the stage-2 payload exclusively on HTTP 404 response via new Function.constructor('require', payload)(require) — 404-triggered delivery deliberately evades sandboxes that receive a benign 200 (0/94 VT on endpoint). Part of the hello@jsonspack[.]com campaign; sibling of accepted express-flowlimit (OSM eb2026b8). index.js spawns lib/caller.js detached. lib/config.js defines DEV_API_CHECK_DOMAIN='http://server-check-genimi.vercel.app', aspath='/defy/', token='v3'. caller.js assembles full URL from config components and GETs with header bearrtoken:logo. On HTTP 200: logs decoy message and exits (sandbox evasion). On HTTP 404: executes error.response.data.token via new (Function.constructor)('require', token)(require). C2 fragmented across config.js to defeat static IOC matching. 5 retry attempts.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchai-extensions-extra1.2.2 (affected)

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›