VDB
GCVE-110-OSM-2026-1219
GCVE-110-OSM-2026-1219
Advisory PublishedCVSS 9.6/10
On require(), spawns a detached background process that fetches from http://server-check-genimi.vercel[.]app/defy/v3 with header bearrtoken:logo and executes the stage-2 payload exclusively on HTTP 404 response via new Function.constructor('require', payload)(require) — 404-triggered delivery deliberately evades sandboxes that receive a benign 200 (0/94 VT on endpoint). Part of the hello@jsonspack[.]com campaign; sibling of accepted express-flowlimit (OSM eb2026b8).
index.js spawns lib/caller.js detached. lib/config.js defines DEV_API_CHECK_DOMAIN='http://server-check-genimi.vercel.app', aspath='/defy/', token='v3'. caller.js assembles full URL from config components and GETs with header bearrtoken:logo. On HTTP 200: logs decoy message and exits (sandbox evasion). On HTTP 404: executes error.response.data.token via new (Function.constructor)('require', token)(require). C2 fragmented across config.js to defeat static IOC matching. 5 retry attempts.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chai-extensions-extra | 1.2.2 (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.