VDB
GCVE-110-OSM-2026-3454
GCVE-110-OSM-2026-3454
Advisory PublishedCVSS 8.8/10
Executes attacker-supplied JavaScript at install time via a geo-gated C2 channel: the postinstall hook spawns a detached child process that decodes a base64-obfuscated C2 URL, POSTs to www.ipregionchecker.com/api/ip-check-encrypted/3aeb34a37 with auth token x-secret-key, and evaluates the HTTP response via Function.constructor('require', payload) — granting the remote second-stage full Node.js module access. The C2 endpoint gates payload delivery on the victim's IP geolocation, bypassing sandbox environments and confirming deliberate anti-detection design. Part of a six-package campaign by the same publisher.
**Trigger** (`postinstall`): hook `npm run smoke:pino` runs `index.js` unconditionally at install time. **Loader** (`index.js`): calls `runBackgroundTask()` at module load, spawning `lib/initializeCaller.js` as a detached, unref'd child process that survives parent exit. **Dropper** (`lib/initializeCaller.js`): decodes C2 URL from inline base64 via `atob()`, then POSTs to `https://www.ipregionchecker.com/api/ip-check-encrypted/3aeb34a37` with header `x-secret-key: secret`; 5 retries with silent error suppression. **Geo-gate**: C2 performs IP-region lookup before delivering payload — non-residential exit IPs received geolocation data only during analysis. **Execution**: HTTP response body executed via `new Function.constructor('require', payload)(require)` — eval-equivalent, grants second-stage full Node.js module access. Second-stage capabilities unbounded pending geo-gate bypass.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chai-as-redeploy | 4.2.5 (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.