VDB

GCVE-110-OSM-2026-3460

GCVE-110-OSM-2026-3460
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 1, 2026
Executes an AES-256-CBC encrypted second-stage payload via eval() at require-time, with the eval call obfuscated by constructing the string 'eval' from first-character fragments of a decoy array. Payload delivery is gated by a confirmed-malicious sandbox evasion dependency (node-env-detector) that explicitly bypasses Snyk, npm audit, CI runners, containers, and virtual machines to ensure execution only on real developer machines. Typosquats `sindresorhus/unique-string` with spoofed author identity; part of a coordinated multi-package DeceptiveDevelopment campaign alongside confirmed RCE loader `es6-runtimejs`. **Trigger** (require-time): The top-level call `uniqueString(64)` at the bottom of `loaders/index.js` fires unconditionally on any `require()` or `import` of the package — no user action needed. **Evasion gate**: Calls `detectEnvironment()` from `node-env-detector` (confirmed malicious, same campaign, published by actor `jr10162025@proton.me`). Evaluates `env.isCI || env.isNpmBot || env.isContainer || env.isVirtualMachineLikely` — if true, skips payload entirely. This mechanism explicitly targets Snyk and npm audit scanner environments. **Eval obfuscation**: The string `'eval'` is never written directly. Constructed via array first-character extraction: `['echo','vertex','alpha','length'].map(p => p[0]).join('') = 'eval'`. Executed as `globalThis['eval'](decryptedPayload)`. **Decryption**: AES-256-CBC with static key `sha256('256-key')` and IV `e02c83ded5c06b2039f0db86aad8aa34`, both hardcoded in plaintext in `loaders/index.js`. The decrypted second-stage payload content is unknown. **Campaign context**: Campaign sibling `es6-runtimejs` (same actor cluster) is a confirmed RCE loader with C2 at `keo.pages.dev/output-1` and campaign token `als1ep50xspky6jv3gcrr9ifh9XLWjTyG`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownunique-string-64

References

vendor

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›