VDB

GCVE-110-OSM-2026-2595

GCVE-110-OSM-2026-2595
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 16, 2026
Reverse shell that polls mac.soqui.dev/obtener every 3 seconds for arbitrary shell commands via GET, executes them with child_process.exec(), and exfiltrates stdout/stderr to /output via POST. Fires at require-time with no install hook. Publisher email (soquicontacto@gmail.com) shares the 'soqui' identifier with the C2 domain, confirming same actor. **Trigger** (require-time): `index.js` executes immediately on `require()` — no install hook needed. **C2 protocol**: `GET https://mac.soqui.dev/obtener` polls every 3000ms. If response JSON contains `cmd` field, the value is passed directly to `child_process.exec(json.cmd)`. Command output (stdout or stderr) is sent back via `POST https://mac.soqui.dev/output` with JSON body `{ output: <result> }`. **Persistence**: `process.on('uncaughtException', () => {})` silently swallows all errors to keep the beacon loop alive. **Language**: Spanish-language comments throughout ('Configuración de tu C2', 'Error de red, el C2 podría estar caído'). **C2 status**: Domain resolves via Cloudflare (104.21.60.39), valid TLS cert (issued 2026-04-09), but backend returns 502 Bad Gateway — infrastructure intact but origin unreachable.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownsys-diagnostics-tool1.0.0 (affected)

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›