VDB
GCVE-110-OSM-2026-3455
GCVE-110-OSM-2026-3455
Advisory PublishedCVSS 9.6/10
Exfiltrates SSH keys, AI IDE configs (.cursor, .claude, .windsurf, .pearai, .eigent), cryptocurrency wallets, and environment secrets to 216.126.224.220:5976/upload via a 3-stage BeaverTail infostealer chain. Masquerades as pino logger; triggers when the middleware is invoked via a detached background process that fetches a JavaScript payload from a JSONkeeper dead drop (https://jsonkeeper.com/b/XRGF3) and executes it with full require() access. Novel targets include AI IDE config directories not previously confirmed in BeaverTail campaigns.
**Trigger** (`call-time — middleware invocation`): `index.js` exports a middleware factory; the detached process spawn fires when the exported function is called (e.g. `app.use(pino())`), not at module import. Spawns `lib/caller.js` as a detached background node process (`detached: true`, `stdio: 'ignore'`, `child.unref()`) — no install hook; process survives parent exit and runs silently in the background.
**Stage 1 — Dead drop fetch**: `caller.js` issues `GET https://jsonkeeper.com/b/XRGF3` with `x-secret-key: _` header, retrying up to 5 times on failure. The response `.data.cookie` field contains the stage-2 JavaScript payload.
**Stage 1 — RCE eval**: Retrieved payload executed via `new Function.constructor("require", s)(require)`, granting the attacker-controlled payload full `require()` access to the victim's Node.js environment.
**Stage 2 — Dropper**: Silently installs `axios` and `socket.io-client` via `execSync`, then fetches and executes binary `0001.dat` from `http://216.126.237.71/api/service/e99a18c428cb38d5f260853678922e03`.
**Stage 3 — BeaverTail infostealer (93.3 KB, cross-platform Windows/macOS/Linux)**: Targets AI IDE configuration directories (`.cursor`, `.claude`, `.windsurf`, `.pearai`, `.eigent`), cryptocurrency wallets (`.move`, `.avm`, `.sol`, `openzeppelin`), GPG/SSH key material (`.gnupg`), and credential files (`.env`, `.pem`). Uses `createReadStream` to exfiltrate collected data via HTTP POST to `http://216.126.224.220:5976/upload`.
**Cover**: Ships near-verbatim pino logger internals (tools.js, proto.js, transport.js, etc.) and exports `middleware.pino` to masquerade as a legitimate logging library. Phantom dependencies (`sqlite3`, `request`, `parse-json`) are declared but never imported.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | jwscube | 1.1.9 (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.