VDB
GCVE-110-OSM-2026-4261
GCVE-110-OSM-2026-4261
Advisory PublishedCVSS 9.6/10
[osmalyze-auto] APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution.
[osmalyze-auto] Entrypoint: scripts/postinstall-tmux.js (install-hook: node scripts/postinstall-tmux.js)
Exfil: https://react.dev/link/special-props (custom-c2, recovery: plaintext in dist/genie.js)
Payload: dist/genie.js
Secondary files: plugins/genie/scripts/genie.cjs, plugins/genie/scripts/term.cjs
Key findings:
- Corporate Environment Targeting in dist/genie.js: "tMode){if(DEPRECATED_BOOLEANS_SYNTAX.indexOf(string)!==-1||DEPRECATED_BASE60_SYN..."
- Download Execute Delete Pattern in dist/genie.js: "writeFileSync12(scriptFile,`import { createServer } from 'http';
import { execSy..."
- Corporate Environment Targeting in plugins/genie/scripts/genie.cjs: "tMode&&(bk.indexOf(t)!==-1||wk.test"
- Download Execute Delete Pattern in plugins/genie/scripts/genie.cjs: "exec)});var Uu={};hr(Uu,{findWishForTask:()=>aD,getWishStatus:()=>oD,getWishTask..."
- Corporate Environment Targeting in plugins/genie/scripts/term.cjs: "tMode&&(bb.indexOf(t)!==-1||Db.test"
IOCs:
- ipv6: 1::, fe80::, 2::, 8::, 9::
- urls: https://docs.automagik.dev/genie, https://react.dev/link/special-props, https://react.dev/link/invalid-hook-call, https://react.dev/link/new-jsx-transform, https://react.dev/link/rules-of-hooks (+23 more)
- domains: docs.automagik.dev, yaml.org, this.ph, this.si, api.nc (+12 more)
- emails: hildebrandt@plus-innovations.com
- sha256Hashes: c19c4574d09e60636425f9555d3b63e8cb5c9d63ceb1c982c35e5a310c97a839, 834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812, 87259b0d1d017ad8b8daa7c177c2d9f0940e457f8dd1ab3abab3681e433ca88e
- payloadFileHash: d81a594bfce94bcc88b7c50968f4952df1df3307a8e26f76537f8bec03405d05
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @automagik/genie | 4.260423.10 (affected) | — |
Aliases
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.