VDB

GCVE-110-OSM-2026-3454

GCVE-110-OSM-2026-3454
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 1, 2026
Executes attacker-supplied JavaScript at install time via a geo-gated C2 channel: the postinstall hook spawns a detached child process that decodes a base64-obfuscated C2 URL, POSTs to www.ipregionchecker.com/api/ip-check-encrypted/3aeb34a37 with auth token x-secret-key, and evaluates the HTTP response via Function.constructor('require', payload) — granting the remote second-stage full Node.js module access. The C2 endpoint gates payload delivery on the victim's IP geolocation, bypassing sandbox environments and confirming deliberate anti-detection design. Part of a six-package campaign by the same publisher. **Trigger** (`postinstall`): hook `npm run smoke:pino` runs `index.js` unconditionally at install time. **Loader** (`index.js`): calls `runBackgroundTask()` at module load, spawning `lib/initializeCaller.js` as a detached, unref'd child process that survives parent exit. **Dropper** (`lib/initializeCaller.js`): decodes C2 URL from inline base64 via `atob()`, then POSTs to `https://www.ipregionchecker.com/api/ip-check-encrypted/3aeb34a37` with header `x-secret-key: secret`; 5 retries with silent error suppression. **Geo-gate**: C2 performs IP-region lookup before delivering payload — non-residential exit IPs received geolocation data only during analysis. **Execution**: HTTP response body executed via `new Function.constructor('require', payload)(require)` — eval-equivalent, grants second-stage full Node.js module access. Second-stage capabilities unbounded pending geo-gate bypass.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchai-as-redeploy4.2.5 (affected)

References

vendor

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›