VDB
GCVE-110-OSM-2026-4178
GCVE-110-OSM-2026-4178
Advisory PublishedCVSS 8.8/10
Harvests the victim's authenticated GCP account identity at install time by invoking the gcloud CLI via a preinstall hook, then exfiltrates the account email to attacker-controlled C2 at status.mazago.io (194.233.98.57) as a URL query parameter (?id=). The C2 is identity-gated and delivers a targeted base64-encoded second-stage payload only when a valid GCP credential is presented. The C2 URL is concealed using a custom char+1 integer-array encoding. Sibling package mazago carries an identical payload published under the same account (7labtech@gmail.com).
**Trigger** (`preinstall`): executes `node ./bin/mazago.js` at install time.
**Encoding**: C2 URL concealed as a char-code +1 integer array (_c) in bin/mazago.js; statically decoded to `https://status.mazago.io`.
**Collection**: invokes `execSync('/Users/aaronhowell/google-cloud-sdk/bin/gcloud config get-value account')` at line 10 to extract the authenticated GCP account email.
**Exfiltration**: constructs beacon URL with GCP account URL-encoded as ?id= parameter at line 15, then calls `fetch()` to `https://status.mazago.io` at line 18.
**Second stage**: C2 response decoded via `Buffer.from(response, 'base64').toString('utf8')` at lines 19-22. The C2 is identity-gated — it returns a decoy response without a valid GCP identity and delivers a targeted payload only when a real account email is presented.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | mazago-cli | 0.0.1-beta.0 (affected) | — |
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.