VDB

GCVE-110-OSM-2026-4179

GCVE-110-OSM-2026-4179
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 15, 2026
Exfiltrates the victim's active GCP account identity to attacker-controlled infrastructure at status.mazago.io (194.233.98.57) via a preinstall hook that executes gcloud silently at npm install time. The C2 URL is concealed using a char+1 shift cipher embedded in a static integer array. The C2 at https://status.mazago.io responds with a base64-encoded second-stage payload served only to requests bearing a valid victim GCP identity. Part of a coordinated dual-package campaign with sibling package mazago-cli, sharing identical payload hashes and the same live C2 endpoint. **Trigger** (`preinstall`): executes `node ./bin/mazago.js` at install time with no user interaction. **Collection**: calls `child_process.execSync('/Users/aaronhowell/google-cloud-sdk/bin/gcloud config get-value account')` to retrieve the active GCP authenticated account identity. **Encoding**: GCP account string is URL-encoded and appended as a `?id=` query parameter at runtime. **Exfiltration**: issues `fetch` to `https://status.mazago.io` with the encoded GCP account attached — the C2 URL is obfuscated as a char+1 shift cipher over a literal integer array in source. **Second stage**: decodes the base64-encoded C2 response via `Buffer.from(data.trim(), 'base64').toString('utf8')`. The C2 delivers payload only to requests bearing a valid victim GCP account, functioning as an identity gate. Sibling package mazago-cli carries an identical payload and contacts the same C2, confirming a coordinated dual-package deployment by publisher 7labtech@gmail.com.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownmazago0.0.1-beta.0 (affected)

References

vendor

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›