VDB
GCVE-110-OSM-2026-1551
GCVE-110-OSM-2026-1551
Advisory PublishedCVSS 9.6/10
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, install-time execution.
Payload: cacert.pem
Key findings:
- Sensitive File Access in scripts/check-env.js: "".aws/credentials""
- Cryptocurrency Wallet Theft in scripts/check-env.js: "wallet.dat"
- Chai-Max Browser Data Theft in scripts/check-env.js: "chrome', 'Default', 'Login Data"
- Decoded Base64 Content in cacert.pem
- Decoded Base64 Content in cacert.pem
IOCs:
- urls: https://gitter.im/strongloop-community/loopback-connector-elastic-search, http://strongloop.com/node-js/loopback/, https://hub.docker.com/r/library/node/tags/, https://hub.docker.com/r/library/elasticsearch/tags/, http://blog.andrewray.me/how-to-debug-mocha-tests-with-chrome/ (+8 more)
- domains: gitter.im, badges.gitter.im, strongloop.com, hub.docker.com, my.es.cluster.com (+18 more)
- emails: password@my.es.cluster.com
- payloadFileHash: a28249119e6d0ef2d4171538cf88e40049991d3ed8a8a2c1ebb89d1cf3ff5e62
Decoded/deobfuscated IOCs:
- domains: doca.com, modoca.com, shoppinpal.com, crl.comodoca.co, crt.comodoca.com (+1 more)
- urls: http://ocsp.comodoca.com0+, http://crl.comodoca.co, http://crt.comodoca.com/COMOD, http://ocsp.como, http://crl.usertrust.com/AddTrustExter
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @fairwords/loopback-connector-es | all (affected) | — |
Aliases
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.