VDB

GCVE-110-OSM-2026-3258

GCVE-110-OSM-2026-3258
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 28, 2026
Drops and executes malicious Mach-O NAPI addons (darwin-x64 and darwin-arm64) via process.dlopen() at npm install time and again at require-time: the native binaries import _NSGetEnviron (full environment variable harvest), dlopen/dlsym (dynamic second-stage payload loading), pthread_create (persistent background threads), and recursive filesystem traversal/deletion APIs. An explicit run_payload() function (arm64 offset 0x00008024) executes asynchronously with all C2 destinations hidden behind compile-time XOR string obfuscation (obf::ObfString, 14+ decrypt methods). Registry tampering in v1.0.3 changed the source repository from a legitimate GitHub project to an Alibaba internal host and replaced the author identity. **Trigger** (postinstall + require-time): scripts/postinstall.js calls `process.dlopen(mod, bindingPath)` then `mod.exports.verify()`, executing VerifyBinding() which spawns detached background threads. lib/binding.js triggers same path on every require(). **Native payload**: run_payload() (arm64 0x00008024, 1940 bytes) decrypts obf::ObfString blobs to obtain C2 config. find_python_site_packages() (0x00006310, 2100 bytes) scans filesystem. process_directory() (0x00007148, 2692 bytes) provides recursive traversal with filesystem::__remove. **Environment harvest**: _NSGetEnviron captures full process environment. dlopen/dlsym load additional shared libraries.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntest-helper-util-base1.0.3 (affected)

Browse GCVE Records

73,161 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›