VDB
GCVE-110-OSM-2026-3461
GCVE-110-OSM-2026-3461
Advisory PublishedCVSS 9.6/10
Executes arbitrary remote JavaScript fetched from `api.npoint.io` (`https://api.npoint.io/5b357f718ab4ee355003`) via `Function.constructor` eval with full `require()` access when the middleware is invoked; masquerades as the pino logger and spawns a detached background process that persists independently of the parent. The 3.5MB second-stage payload is heavily obfuscated and consistent with the BeaverTail infostealer family associated with the DPRK Contagious Interview campaign.
**Trigger** (`require-time`): When the package middleware function is invoked, `index.js` calls `runBackgroundTask()`, spawning `lib/initializeCaller.js` as a detached Node.js process (`detached: true, stdio: 'ignore', child.unref()`). The parent process exits independently — the stager continues running in the background.
**C2 fetch**: `lib/initializeCaller.js` decodes three inline base64 literals to recover the C2 URL (`https://api.npoint.io/5b357f718ab4ee355003`), the auth header name (`x-secret-key`), and its value (`_`). It then issues an `axios.get()` request to the npoint.io endpoint with up to 5 retries.
**Eval**: The stager extracts `response.data.cookie` — a 3,554,994-byte obfuscated JavaScript payload served via npoint.io's JSON hosting — and executes it via `new Function.constructor("require", payload)()`, granting the remote code unrestricted `require()` access to the victim's Node.js runtime.
**Stage-2**: The payload is heavily obfuscated with RC4-based string decryption and hex-escaped string arrays. Function naming and structure are consistent with the BeaverTail infostealer toolchain. Full capability extraction is pending due to payload size.
**Camouflage**: Bundles approximately 14 legitimate pino logger source files as cover and exports `module.exports.pino = middleware` to impersonate the pino API surface. Declares three phantom dependencies in `package.json` that are never imported in any source file.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | motion-ui-tool | 2.3.5 (affected) | — |
Browse GCVE Records
73,734 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.