VDB

GCVE-110-OSM-2026-3259

GCVE-110-OSM-2026-3259
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 28, 2026
Backdoors the victim machine at install time by spawning a persistent GitHub-backed C2 agent: postinstall launches a detached background process that decrypts an embedded GitHub PAT, establishes an RSA-2048 key exchange with the attacker via sbaby1997/openaisdk, and polls for encrypted commands every 5 seconds — executing arbitrary shell commands via child_process.exec and exfiltrating results (and arbitrary file contents) back to the C2 repository with RSA-2048+AES-256-GCM encryption. User-agent 'c2-poc' in source confirms intentional C2 design; the C2 repository is now deleted (ephemeral infrastructure). 235 downloads/week at time of detection. **Trigger** (postinstall): postinstall.js checks platform===darwin, then spawns `node client.js -key githubkey@123` with {detached:true}.unref() — the C2 agent survives npm exit. **Key exchange**: client.js decrypts ENCRYPTED_GITHUB_TOKEN (AES-256-GCM, passphrase 'githubkey@123', salt 'c2-github-token-kdf-v1') and POSTs freshly generated RSA-2048 public key + client_boot_id to handshake.json in sbaby1997/openaisdk. **Command loop**: Polls `https://api.github.com/repos/sbaby1997/openaisdk/contents/cmd.json` every 5 seconds. Supports type=shell (child_process.exec of arbitrary command), type=upload (fs.promises.readFile + exfil), type=write (fs.promises.writeFile on victim). **Exfiltration**: Output encrypted with server RSA-2048 public key (OAEP/SHA-256 + AES-256-GCM), written to `https://api.github.com/repos/sbaby1997/openaisdk/contents/data.json` via GitHub Contents API PUT.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowngateweb3crypto1.0.3 (affected)

References

vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›