VDB
GCVE-110-OSM-2026-3336
GCVE-110-OSM-2026-3336
Advisory PublishedCVSS 9.6/10
Exfiltrates ETHEREAL_API, ETHEREAL_WEB, ETHEREAL_API_KEY, and ETHEREAL_CACHE environment variables plus .env and .seed file contents to attacker-controlled C2 at 74.0.48.37 on ports 4556 and 4558 via base64-encoded HTTP POST. Triggered silently at install via postinstall hook that spawns a detached obfuscated background process which also establishes a persistent socket.io C2 channel. Package impersonates the legitimate nodemailer library. Publisher is a confirmed DPRK DeceptiveDevelopment actor.
**Trigger** (`postinstall`): executes `node lib/utils/index.js`, which spawns `lib/utils/smtp-connection/index.js` as a detached process (`detached:true, stdio:['ignore','ignore','ignore']`; `child.unref()`). **Obfuscation**: 51KB custom-alpha base91 payload with five redundant try/catch C2 retry blocks — each with a distinct per-function decoder alphabet for resilience against partial decode. **C2**: C2 IP 74.0.48.37 assembled from plaintext hex constants (0x4a.0x0.0x30.0x25); ports 4556 (0x11cc) and 4558 (0x11ce). socket.io-client establishes persistent bidirectional C2 channel; axios exfiltrates data. **Collection**: reads `process.env.ETHEREAL_API`, `ETHEREAL_WEB`, `ETHEREAL_API_KEY`, `ETHEREAL_CACHE`; reads `.env` and `.seed` files. **Exfiltration**: base64-encodes collected data and POSTs via axios to 74.0.48.37:4558.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | devkit-scripts | 1.0.3 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.