VDB

GCVE-110-OSM-2026-3461

GCVE-110-OSM-2026-3461
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Executes arbitrary remote JavaScript fetched from `api.npoint.io` (`https://api.npoint.io/5b357f718ab4ee355003`) via `Function.constructor` eval with full `require()` access when the middleware is invoked; masquerades as the pino logger and spawns a detached background process that persists independently of the parent. The 3.5MB second-stage payload is heavily obfuscated and consistent with the BeaverTail infostealer family associated with the DPRK Contagious Interview campaign. **Trigger** (`require-time`): When the package middleware function is invoked, `index.js` calls `runBackgroundTask()`, spawning `lib/initializeCaller.js` as a detached Node.js process (`detached: true, stdio: 'ignore', child.unref()`). The parent process exits independently — the stager continues running in the background. **C2 fetch**: `lib/initializeCaller.js` decodes three inline base64 literals to recover the C2 URL (`https://api.npoint.io/5b357f718ab4ee355003`), the auth header name (`x-secret-key`), and its value (`_`). It then issues an `axios.get()` request to the npoint.io endpoint with up to 5 retries. **Eval**: The stager extracts `response.data.cookie` — a 3,554,994-byte obfuscated JavaScript payload served via npoint.io's JSON hosting — and executes it via `new Function.constructor("require", payload)()`, granting the remote code unrestricted `require()` access to the victim's Node.js runtime. **Stage-2**: The payload is heavily obfuscated with RC4-based string decryption and hex-escaped string arrays. Function naming and structure are consistent with the BeaverTail infostealer toolchain. Full capability extraction is pending due to payload size. **Camouflage**: Bundles approximately 14 legitimate pino logger source files as cover and exports `module.exports.pino = middleware` to impersonate the pino API surface. Declares three phantom dependencies in `package.json` that are never imported in any source file.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownmotion-ui-tool2.3.5 (affected)

References

vendor

Browse GCVE Records

73,734 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›