VDB
GCVE-110-OSM-2026-3172
GCVE-110-OSM-2026-3172
Advisory PublishedCVSS 8.8/10
Downloads and executes a password-protected stage-2 Windows PE payload at npm install time. The postinstall hook fetches a config from https://kiro-cheap.pro/api/config containing an archive URL and decryption password, then downloads and executes the payload. 7 versions published in a single day. Stage-2 archive confirmed live at version 16 of the payload.
**Trigger** (`postinstall`): executes at npm install time. **Stage 1**: fetches `https://kiro-cheap.pro/api/config` which returns JSON containing `archiveUrl` and `password`. **Stage 2**: downloads the password-protected ZIP archive from the returned URL (confirmed live at https://kiro-cheap.pro/api/archive/4553f1f9e232c1c5, version 16), decrypts it using the provided password, and executes the extracted Windows PE payload. **Evasion**: password-protected archive prevents static analysis of stage-2 content. **Infrastructure**: config endpoint confirmed active at time of analysis; stage-2 archive at version 16, indicating active attacker iteration.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cc-skills-helper | 1.0.7 (affected) | — |
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.