VDB

GCVE-110-OSM-2026-3172

GCVE-110-OSM-2026-3172
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 26, 2026
Downloads and executes a password-protected stage-2 Windows PE payload at npm install time. The postinstall hook fetches a config from https://kiro-cheap.pro/api/config containing an archive URL and decryption password, then downloads and executes the payload. 7 versions published in a single day. Stage-2 archive confirmed live at version 16 of the payload. **Trigger** (`postinstall`): executes at npm install time. **Stage 1**: fetches `https://kiro-cheap.pro/api/config` which returns JSON containing `archiveUrl` and `password`. **Stage 2**: downloads the password-protected ZIP archive from the returned URL (confirmed live at https://kiro-cheap.pro/api/archive/4553f1f9e232c1c5, version 16), decrypts it using the provided password, and executes the extracted Windows PE payload. **Evasion**: password-protected archive prevents static analysis of stage-2 content. **Infrastructure**: config endpoint confirmed active at time of analysis; stage-2 archive at version 16, indicating active attacker iteration.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncc-skills-helper1.0.7 (affected)

References

vendor

Browse GCVE Records

72,148 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›