VDB
GCVE-110-OSM-2026-4174
GCVE-110-OSM-2026-4174
Advisory PublishedCVSS 8.8/10
Hijacks the Testpad exam application via Chrome DevTools Protocol to inject a JavaScript solver into all active browser pages, captures full exam question text, and exfiltrates it to api.groq.com using 7 hardcoded Groq API keys; LLM-generated answers are silently injected back into the exam UI. Part of a multi-account CDP exam cheating distribution campaign sharing byte-identical tooling with the confirmed malicious package cdp-see.
**Trigger** (`require()`-time): cdp_inject.js executes immediately on require — no install hook in package.json.
**Browser takeover**: `child_process.exec` kills any running testpad.exe instance via `taskkill /F /IM testpad.exe`, then relaunches the application with a remote debugging port enabled to allow CDP control.
**Page injection**: Connects to the local CDP endpoint to enumerate debuggable targets; injects SOLVER_SCRIPT into all pages via `Runtime.evaluate` and `Page.addScriptToEvaluateOnNewDocument`.
**Collection**: Injected script executes `btoa(document.body.innerText)` on the active exam page, capturing the full question text.
**Exfiltration**: Node process base64-decodes the captured text and POSTs it to `https://api.groq.com/openai/v1/chat/completions` using one of 7 hardcoded Groq API keys (`gsk_qeDxYcb...` pool, round-robin rotation).
**Answer injection**: Groq API response is parsed and silently written back into the exam UI via CDP.
**Persistence**: When invoked with `--detach`, spawns itself as a detached background child process via `spawn(..., { detached: true, stdio: 'ignore' }).unref()`. Binds TCP port 9333 as a single-instance lock, evicting any competing process via `taskkill /F /PID`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | xiouss | 1.0.0 (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.