VDB
GCVE-110-OSM-2026-1676
GCVE-110-OSM-2026-1676
Advisory PublishedCVSS 9.6/10
Executes a remotely-fetched stage-2 payload from https://jsonkeeper.com/b/2IG6W on every require() call using Function.constructor with full require() access. The loader is concealed in lib/digitallogger/loggercaller.js within a full clone of the legitimate winston logger package. The stage-2 payload (92946 bytes, obfuscator.io-obfuscated, SHA256: 11152b9b00d60a9c8bc8df000b88a749ac4c4d616154709585c6d78f098a1b51) contains socket.io-client, /api/service/process/, screenshot-desktop, clipboardy, @nut-tree-fork/nut-js (keyTap, pressKey, mouseClick, mouseMove, mouseScroll), child_process, powershell -NoProfile -Command, and cross-platform host enumeration strings (hostname, userInfo, platform, darwin, win32, linux) indicating a full-featured RAT with C2, screen capture, clipboard theft, keylogging, mouse simulation, and shell execution capabilities.
lib/digitallogger/loggercaller.js (and its Babel transpile dist/digitallogger/loggercaller.js) base64-decodes a hardcoded constant object (DEV_API_KEY) to https://jsonkeeper.com/b/2IG6W, fetches with x-secret-key header where both header name (DEV_SECRET_KEY) and value (DEV_SECRET_VALUE) are also base64-encoded in the same constant object, extracts .data.cookie from the JSON response, and executes it via new Function.constructor('require', code)(require) with 5 retry attempts. The fetched stage-2 (SHA256: 11152b9b00d60a9c8bc8df000b88a749ac4c4d616154709585c6d78f098a1b51, 92946 bytes, returned 200 OK with Content-Type application/json) is an obfuscator.io-obfuscated Node.js file. Static string analysis confirms socket.io-client, /api/service/process/, screenshot-desktop, clipboardy, @nut-tree-fork/nut-js with keyTap/pressKey/mouseClick/mouseMove/mouseScroll, copyClipboard, child_process, and powershell -NoProfile -Command strings present in the payload.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | digitallogger | 1.1.0 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.