VDB
GCVE-110-OSM-2026-1388
GCVE-110-OSM-2026-1388
Advisory PublishedCVSS 8.8/10
Executes a 712 KB obfuscated VM-style JavaScript bundle (print.js) at install time via postinstall hook, concealed inside a plausible colorized-logger cover package. The bundle directly accesses user home directory environment variables (HOME, APPDATA, LOCALAPPDATA, USERPROFILE, XDG_DATA_HOME) and imports child_process (execFileSync, spawnSync, spawn) and fetch, indicating system reconnaissance and data exfiltration. All C2 targets are encoded within the 712 KB bundle and not recoverable statically.
package.json postinstall runs 'node print.js'. print.js (712.3 KB, SHA256: df953c9e93b8) is a VM-obfuscated bundle that captures Function and fetch via Object.defineProperty on a global vmg_c14f8a namespace (anti-static-analysis pattern). Bundle imports: node:child_process (execFileSync, spawnSync, spawn), node:os, node:fs/promises, node:path, zlib. Reads HOME, APPDATA, LOCALAPPDATA, USERPROFILE, XDG_DATA_HOME env vars. WebSocket (ws ^8.18.0) dependency suggests possible WebSocket-based C2. dist/index.js contains a benign Logger class as cover.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | js-logger-pack | 1.1.7 (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.