VDB
GCVE-110-OSM-2026-2595
GCVE-110-OSM-2026-2595
Advisory PublishedCVSS 9.6/10
Reverse shell that polls mac.soqui.dev/obtener every 3 seconds for arbitrary shell commands via GET, executes them with child_process.exec(), and exfiltrates stdout/stderr to /output via POST. Fires at require-time with no install hook. Publisher email (soquicontacto@gmail.com) shares the 'soqui' identifier with the C2 domain, confirming same actor.
**Trigger** (require-time): `index.js` executes immediately on `require()` — no install hook needed.
**C2 protocol**: `GET https://mac.soqui.dev/obtener` polls every 3000ms. If response JSON contains `cmd` field, the value is passed directly to `child_process.exec(json.cmd)`. Command output (stdout or stderr) is sent back via `POST https://mac.soqui.dev/output` with JSON body `{ output: <result> }`.
**Persistence**: `process.on('uncaughtException', () => {})` silently swallows all errors to keep the beacon loop alive.
**Language**: Spanish-language comments throughout ('Configuración de tu C2', 'Error de red, el C2 podría estar caído').
**C2 status**: Domain resolves via Cloudflare (104.21.60.39), valid TLS cert (issued 2026-04-09), but backend returns 502 Bad Gateway — infrastructure intact but origin unreachable.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | sys-diagnostics-tool | 1.0.0 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.