VDB
GCVE-110-OSM-2026-4179
GCVE-110-OSM-2026-4179
Advisory PublishedCVSS 8.8/10
Exfiltrates the victim's active GCP account identity to attacker-controlled infrastructure at status.mazago.io (194.233.98.57) via a preinstall hook that executes gcloud silently at npm install time. The C2 URL is concealed using a char+1 shift cipher embedded in a static integer array. The C2 at https://status.mazago.io responds with a base64-encoded second-stage payload served only to requests bearing a valid victim GCP identity. Part of a coordinated dual-package campaign with sibling package mazago-cli, sharing identical payload hashes and the same live C2 endpoint.
**Trigger** (`preinstall`): executes `node ./bin/mazago.js` at install time with no user interaction.
**Collection**: calls `child_process.execSync('/Users/aaronhowell/google-cloud-sdk/bin/gcloud config get-value account')` to retrieve the active GCP authenticated account identity.
**Encoding**: GCP account string is URL-encoded and appended as a `?id=` query parameter at runtime.
**Exfiltration**: issues `fetch` to `https://status.mazago.io` with the encoded GCP account attached — the C2 URL is obfuscated as a char+1 shift cipher over a literal integer array in source.
**Second stage**: decodes the base64-encoded C2 response via `Buffer.from(data.trim(), 'base64').toString('utf8')`. The C2 delivers payload only to requests bearing a valid victim GCP account, functioning as an identity gate. Sibling package mazago-cli carries an identical payload and contacts the same C2, confirming a coordinated dual-package deployment by publisher 7labtech@gmail.com.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | mazago | 0.0.1-beta.0 (affected) | — |
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.