VDB
GCVE-110-OSM-2026-3463
GCVE-110-OSM-2026-3463
Advisory PublishedCVSS 9.6/10
Executes attacker-controlled stage-2 JavaScript via Function.constructor with full require() access on every HTTP request handled by the malicious Express middleware; stage-2 is fetched from api.npoint.io/ef2875f70e59e319189d using a hardcoded x-secret-key: _ authentication header base64-encoded in source. Package impersonates the chai test assertion library (50M+ weekly downloads) and is attributed to the DeceptiveDevelopment (DPRK) campaign via shared author identity hello@jsonspack.com.
**Trigger** (middleware invocation): index.js exports an Express-compatible middleware function. When the victim application processes HTTP requests, the middleware calls runJobA(), which spawns lib/caller.js as a detached, untracked background process (spawn('node', ['lib/caller.js', ...], {detached: true, stdio: 'ignore'}) + child.unref()) — parent process exits cleanly while the child persists independently.
**Stage-2 fetch**: caller.js contains a self-executing async function that runs immediately on invocation. It decodes the C2 URL from a hardcoded base64 literal (DEV_API_KEY = 'aHR0cHM6Ly9hcGkubnBvaW50LmlvL2VmMjg3NWY3MGU1OWUzMTkxODlk') via atob() → https://api.npoint.io/ef2875f70e59e319189d, then performs an authenticated GET with x-secret-key: _ header. The response is a 3.6MB JSON document; the .data.cookie field contains the stage-2 payload (3.5MB).
**Execution**: Stage-2 JavaScript is executed as new Function.constructor('require', s)(require), granting the attacker full Node.js require() access and arbitrary code execution capability. Five retry attempts are made on error.
**Anti-detection**: A local const process = {env: {...}} object at the top of caller.js shadows the Node.js global process object, concealing the C2 credential constants from tools that monitor process.env access. The bulk of the package (~14 files, ~40KB) is copied verbatim from the legitimate pino logging library to inflate perceived legitimacy. Three dependencies (request, sqlite3, parse-json) are declared in package.json but never imported.
**Stage-2 status**: 3.5MB JavaScript with function-wrapper-mangled obfuscation; downstream capabilities (data collection, exfiltration, persistence) pending full decode.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chai-as-attended | 3.6.2 (affected) | — |
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.