VDB

GCVE-110-OSM-2026-1388

GCVE-110-OSM-2026-1388
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 2, 2026
Executes a 712 KB obfuscated VM-style JavaScript bundle (print.js) at install time via postinstall hook, concealed inside a plausible colorized-logger cover package. The bundle directly accesses user home directory environment variables (HOME, APPDATA, LOCALAPPDATA, USERPROFILE, XDG_DATA_HOME) and imports child_process (execFileSync, spawnSync, spawn) and fetch, indicating system reconnaissance and data exfiltration. All C2 targets are encoded within the 712 KB bundle and not recoverable statically. package.json postinstall runs 'node print.js'. print.js (712.3 KB, SHA256: df953c9e93b8) is a VM-obfuscated bundle that captures Function and fetch via Object.defineProperty on a global vmg_c14f8a namespace (anti-static-analysis pattern). Bundle imports: node:child_process (execFileSync, spawnSync, spawn), node:os, node:fs/promises, node:path, zlib. Reads HOME, APPDATA, LOCALAPPDATA, USERPROFILE, XDG_DATA_HOME env vars. WebSocket (ws ^8.18.0) dependency suggests possible WebSocket-based C2. dist/index.js contains a benign Logger class as cover.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownjs-logger-pack1.1.7 (affected)

References

vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›