VDB
GCVE-110-OSM-2026-2011
GCVE-110-OSM-2026-2011
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, obfuscated code.
Payload: data/sigma-core/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml
Secondary files: data/sigma-core/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml, data/sigma-core/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml
Key findings:
- Download and Execute in data/sigma-core/rules/linux/builtin/lnx_shell_susp_commands.yml: "wget * - http* | sh"
- Reverse Shell in data/sigma-core/rules/linux/builtin/lnx_shell_susp_rev_shells.yml: "/bin/sh -i"
- Ngrok Tunneling Service in data/sigma-core/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml: "ngrok.com"
- Sensitive File Access in data/sigma-core/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml: "'/.bash_history'"
- OAST/Interactsh Exfiltration in data/sigma-core/rules/network/dns/net_dns_external_service_interaction_domains.yml: ".oast.fun"
IOCs:
- ipv4: 1.9.2.13, 1.6.3.8, 22.36.35.06, 4.0.221.6, 1.9.1.2 (+6 more)
- ipv6: fe80::, fc00::, 2620:83:8000::
- urls: https://attack.mitre.org/groups/G0007, https://attack.mitre.org/groups/G0016, https://attack.mitre.org/groups/G0032, https://attack.mitre.org/groups/G0046, https://attack.mitre.org/groups/G0008 (+45 more)
- domains: attack.mitre.org, secariolabs.com, org.apache.logging.log4j.core.net, rules.sonarsource.com, owasp.org (+45 more)
- emails: daniel.bohannon@permiso.io, ODB-user@domain.com
- bitcoinAddresses: 3AB3655E5A14D4EEFC547F4781BF7F9E, 3AD59991CCF1D67339B319B15A41B35D, 3f11a94f1ac5efdd19767c6976da9ba4, 1cd158a64f3d886357535382a6fdad75, 1f2888e57fdd6aee466962c25ba7d62d (+43 more)
- pasteSites: http://pastebin.com/FtygZ1cg
- sha256Hashes: 925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797, 8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424, d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466, 5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619, a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 (+45 more)
- payloadFileHash: d1e436594003056eb24e48d3b4cec916a308537d8548428d45a64677f2837ba1
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @thrunt/mcp | all (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.