VDB

GCVE-110-OSM-2026-3465

GCVE-110-OSM-2026-3465
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 1, 2026
Executes shell commands for hypervisor fingerprinting (`wmic computersystem get model` on Windows; `sysctl -n machdep.cpu.brand_string` on macOS) and explicitly targets Snyk and npm audit by name to evade security scanning. Purpose-built evasion infrastructure for a confirmed DeceptiveDevelopment (DPRK-adjacent) supply chain campaign — exported as `detectEnvironment()` and imported by companion malicious packages to gate payload delivery exclusively to real developer machines. **Trigger**: Exported as `module.exports = detectEnvironment` — invoked at require-time by companion malicious packages before they execute their payload. **Category 1 — CI/CD Detection** (`detectCI`): Reads `process.env.CI`, `GITHUB_ACTIONS`, `GITLAB_CI`, `CIRCLECI`, `TRAVIS`, `APPVEYOR`, `JENKINS_URL`, `BUILDKITE`, `TEAMCITY_VERSION`, `BITBUCKET_BUILD_NUMBER`. **Category 2 — Security Scanner Evasion** (`detectNpmBot`): Reads `process.env.npm_config_user_agent` and flags values containing `audit`, `scanner`, `snyk`, `node-fetch` — explicitly naming Snyk and npm audit as evasion targets. **Category 3 — Container Detection** (`detectContainer`): `fs.existsSync('/.dockerenv')`; `fs.readFileSync('/proc/1/cgroup')` checked for `docker`, `kubepods`, `containerd`. **Category 4 — VM Fingerprinting** (`detectVM`): `fs.readFileSync('/proc/cpuinfo')` (Linux); `execSync('wmic computersystem get model')` (Windows); `execSync('sysctl -n machdep.cpu.brand_string')` (macOS); `os.cpus().map(c => c.model)` — checked against: `virtual`, `vmware`, `virtualbox`, `qemu`, `kvm`, `xen`, `hyper-v`. **Category 5 — Low-Resource Sandbox** (`detectLowResourceSandbox`): `os.totalmem() <= 2GB` OR `os.cpus().length <= 2`. **Output**: Returns a signals object. Companion packages check `signals.length === 0` (clean developer machine) before executing their malicious payload. Confirmed imported by `unique-string-64` in the same campaign batch.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnode-env-detector* (affected)

References

vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›