VDB
GCVE-110-OSM-2026-1237
GCVE-110-OSM-2026-1237
Advisory PublishedCVSS 9.6/10
On require(), silently spawns a detached child process executing lib/caller.js which fetches and runs arbitrary Node.js from https://jsonkeeper.com/b/FAWPU (not yet in VT — first discovery) via new Function.constructor('require', payload)(require). The campaign operator's stage-2 payload was decoded (same operator u_k=301, t=3; npoint.io C2 variant; SHA256 of extracted JS: fdb582f16475cb79bebd0dffc48d610430cae2e39e9a3e2abd373b3413691838) and is a cross-platform RAT and infostealer: steals browser credentials and crypto wallet data from 13 Chromium-based browsers, exfiltrates .env files and the full home directory to http://144.172.110.132:8086/upload (Vultr VPS), and establishes a socket.io reverse shell at ws://144.172.110.132:8087 with clipboard monitoring. Four sibling packages share the identical loader (chai-as-chain-v2, chai-as-evm, chai-use-chain, lockedin-chai-chain).
index.js calls spawn('node', ['./lib/caller.js'], { detached: true, stdio: 'ignore' }) on every require(). caller.js base64-decodes https://jsonkeeper.com/b/FAWPU, GETs response.data.cookie with x-secret-key:_, executes via new Function.constructor('require', s)(require). FAWPU bucket: not in VT — first discovery. The stage-2 payload from this bucket was not independently decoded; the campaign operator's npoint.io payload (identical loader pattern, same response.data.cookie field, operator u_k=301 t=3) was decoded via synchrony. Hash correction: 00a32991... was SHA256 of the raw JSON HTTP response wrapper; correct extracted-JS hash is fdb582f1... — not in VT. Payload behavior: (1) ldbScript — browser credential stealer targeting 13 Chromium-based browsers, 40 crypto wallet extensions (MetaMask, Phantom, etc.), macOS login.keychain-db; uploads to http://144.172.110.132:8086/upload. (2) autoUploadScript — full filesystem crawler targeting .env* files; uploads ≤10MB files. (3) socketScript — socket.io RAT at ws://144.172.110.132:8087 with remote shell and 1-second clipboard monitoring. C2: Vultr VPS, hostname gifted-rhodes.144-172-110-132.plesk.page, 0/94 VT detections — fresh infrastructure. Operator: u_k=301, t=3, HMAC SuperStr0ngSecret@)@^.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chai-as-adapter | 1.5.2 (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.