VDB
GCVE-110-OSM-2026-3258
GCVE-110-OSM-2026-3258
Advisory PublishedCVSS 9.6/10
Drops and executes malicious Mach-O NAPI addons (darwin-x64 and darwin-arm64) via process.dlopen() at npm install time and again at require-time: the native binaries import _NSGetEnviron (full environment variable harvest), dlopen/dlsym (dynamic second-stage payload loading), pthread_create (persistent background threads), and recursive filesystem traversal/deletion APIs. An explicit run_payload() function (arm64 offset 0x00008024) executes asynchronously with all C2 destinations hidden behind compile-time XOR string obfuscation (obf::ObfString, 14+ decrypt methods). Registry tampering in v1.0.3 changed the source repository from a legitimate GitHub project to an Alibaba internal host and replaced the author identity.
**Trigger** (postinstall + require-time): scripts/postinstall.js calls `process.dlopen(mod, bindingPath)` then `mod.exports.verify()`, executing VerifyBinding() which spawns detached background threads. lib/binding.js triggers same path on every require().
**Native payload**: run_payload() (arm64 0x00008024, 1940 bytes) decrypts obf::ObfString blobs to obtain C2 config. find_python_site_packages() (0x00006310, 2100 bytes) scans filesystem. process_directory() (0x00007148, 2692 bytes) provides recursive traversal with filesystem::__remove.
**Environment harvest**: _NSGetEnviron captures full process environment. dlopen/dlsym load additional shared libraries.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | test-helper-util-base | 1.0.3 (affected) | — |
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.