VDB

GCVE-110-OSM-2026-4174

GCVE-110-OSM-2026-4174
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 15, 2026
Hijacks the Testpad exam application via Chrome DevTools Protocol to inject a JavaScript solver into all active browser pages, captures full exam question text, and exfiltrates it to api.groq.com using 7 hardcoded Groq API keys; LLM-generated answers are silently injected back into the exam UI. Part of a multi-account CDP exam cheating distribution campaign sharing byte-identical tooling with the confirmed malicious package cdp-see. **Trigger** (`require()`-time): cdp_inject.js executes immediately on require — no install hook in package.json. **Browser takeover**: `child_process.exec` kills any running testpad.exe instance via `taskkill /F /IM testpad.exe`, then relaunches the application with a remote debugging port enabled to allow CDP control. **Page injection**: Connects to the local CDP endpoint to enumerate debuggable targets; injects SOLVER_SCRIPT into all pages via `Runtime.evaluate` and `Page.addScriptToEvaluateOnNewDocument`. **Collection**: Injected script executes `btoa(document.body.innerText)` on the active exam page, capturing the full question text. **Exfiltration**: Node process base64-decodes the captured text and POSTs it to `https://api.groq.com/openai/v1/chat/completions` using one of 7 hardcoded Groq API keys (`gsk_qeDxYcb...` pool, round-robin rotation). **Answer injection**: Groq API response is parsed and silently written back into the exam UI via CDP. **Persistence**: When invoked with `--detach`, spawns itself as a detached background child process via `spawn(..., { detached: true, stdio: 'ignore' }).unref()`. Binds TCP port 9333 as a single-instance lock, evicting any competing process via `taskkill /F /PID`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownxiouss1.0.0 (affected)

References

vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›