VDB
GCVE-110-OSM-2026-3259
GCVE-110-OSM-2026-3259
Advisory PublishedCVSS 9.6/10
Backdoors the victim machine at install time by spawning a persistent GitHub-backed C2 agent: postinstall launches a detached background process that decrypts an embedded GitHub PAT, establishes an RSA-2048 key exchange with the attacker via sbaby1997/openaisdk, and polls for encrypted commands every 5 seconds — executing arbitrary shell commands via child_process.exec and exfiltrating results (and arbitrary file contents) back to the C2 repository with RSA-2048+AES-256-GCM encryption. User-agent 'c2-poc' in source confirms intentional C2 design; the C2 repository is now deleted (ephemeral infrastructure). 235 downloads/week at time of detection.
**Trigger** (postinstall): postinstall.js checks platform===darwin, then spawns `node client.js -key githubkey@123` with {detached:true}.unref() — the C2 agent survives npm exit.
**Key exchange**: client.js decrypts ENCRYPTED_GITHUB_TOKEN (AES-256-GCM, passphrase 'githubkey@123', salt 'c2-github-token-kdf-v1') and POSTs freshly generated RSA-2048 public key + client_boot_id to handshake.json in sbaby1997/openaisdk.
**Command loop**: Polls `https://api.github.com/repos/sbaby1997/openaisdk/contents/cmd.json` every 5 seconds. Supports type=shell (child_process.exec of arbitrary command), type=upload (fs.promises.readFile + exfil), type=write (fs.promises.writeFile on victim).
**Exfiltration**: Output encrypted with server RSA-2048 public key (OAEP/SHA-256 + AES-256-GCM), written to `https://api.github.com/repos/sbaby1997/openaisdk/contents/data.json` via GitHub Contents API PUT.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | gateweb3crypto | 1.0.3 (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.