VDB

GCVE-110-OSM-2026-3463

GCVE-110-OSM-2026-3463
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Executes attacker-controlled stage-2 JavaScript via Function.constructor with full require() access on every HTTP request handled by the malicious Express middleware; stage-2 is fetched from api.npoint.io/ef2875f70e59e319189d using a hardcoded x-secret-key: _ authentication header base64-encoded in source. Package impersonates the chai test assertion library (50M+ weekly downloads) and is attributed to the DeceptiveDevelopment (DPRK) campaign via shared author identity hello@jsonspack.com. **Trigger** (middleware invocation): index.js exports an Express-compatible middleware function. When the victim application processes HTTP requests, the middleware calls runJobA(), which spawns lib/caller.js as a detached, untracked background process (spawn('node', ['lib/caller.js', ...], {detached: true, stdio: 'ignore'}) + child.unref()) — parent process exits cleanly while the child persists independently. **Stage-2 fetch**: caller.js contains a self-executing async function that runs immediately on invocation. It decodes the C2 URL from a hardcoded base64 literal (DEV_API_KEY = 'aHR0cHM6Ly9hcGkubnBvaW50LmlvL2VmMjg3NWY3MGU1OWUzMTkxODlk') via atob() → https://api.npoint.io/ef2875f70e59e319189d, then performs an authenticated GET with x-secret-key: _ header. The response is a 3.6MB JSON document; the .data.cookie field contains the stage-2 payload (3.5MB). **Execution**: Stage-2 JavaScript is executed as new Function.constructor('require', s)(require), granting the attacker full Node.js require() access and arbitrary code execution capability. Five retry attempts are made on error. **Anti-detection**: A local const process = {env: {...}} object at the top of caller.js shadows the Node.js global process object, concealing the C2 credential constants from tools that monitor process.env access. The bulk of the package (~14 files, ~40KB) is copied verbatim from the legitimate pino logging library to inflate perceived legitimacy. Three dependencies (request, sqlite3, parse-json) are declared in package.json but never imported. **Stage-2 status**: 3.5MB JavaScript with function-wrapper-mangled obfuscation; downstream capabilities (data collection, exfiltration, persistence) pending full decode.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchai-as-attended3.6.2 (affected)

References

vendor

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›