VDB

GCVE-110-OSM-2026-3336

GCVE-110-OSM-2026-3336
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 29, 2026
Exfiltrates ETHEREAL_API, ETHEREAL_WEB, ETHEREAL_API_KEY, and ETHEREAL_CACHE environment variables plus .env and .seed file contents to attacker-controlled C2 at 74.0.48.37 on ports 4556 and 4558 via base64-encoded HTTP POST. Triggered silently at install via postinstall hook that spawns a detached obfuscated background process which also establishes a persistent socket.io C2 channel. Package impersonates the legitimate nodemailer library. Publisher is a confirmed DPRK DeceptiveDevelopment actor. **Trigger** (`postinstall`): executes `node lib/utils/index.js`, which spawns `lib/utils/smtp-connection/index.js` as a detached process (`detached:true, stdio:['ignore','ignore','ignore']`; `child.unref()`). **Obfuscation**: 51KB custom-alpha base91 payload with five redundant try/catch C2 retry blocks — each with a distinct per-function decoder alphabet for resilience against partial decode. **C2**: C2 IP 74.0.48.37 assembled from plaintext hex constants (0x4a.0x0.0x30.0x25); ports 4556 (0x11cc) and 4558 (0x11ce). socket.io-client establishes persistent bidirectional C2 channel; axios exfiltrates data. **Collection**: reads `process.env.ETHEREAL_API`, `ETHEREAL_WEB`, `ETHEREAL_API_KEY`, `ETHEREAL_CACHE`; reads `.env` and `.seed` files. **Exfiltration**: base64-encodes collected data and POSTs via axios to 74.0.48.37:4558.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowndevkit-scripts1.0.3 (affected)

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›