VDB

GCVE-110-OSM-2026-4261

GCVE-110-OSM-2026-4261
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 15, 2026
[osmalyze-auto] APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution. [osmalyze-auto] Entrypoint: scripts/postinstall-tmux.js (install-hook: node scripts/postinstall-tmux.js) Exfil: https://react.dev/link/special-props (custom-c2, recovery: plaintext in dist/genie.js) Payload: dist/genie.js Secondary files: plugins/genie/scripts/genie.cjs, plugins/genie/scripts/term.cjs Key findings: - Corporate Environment Targeting in dist/genie.js: "tMode){if(DEPRECATED_BOOLEANS_SYNTAX.indexOf(string)!==-1||DEPRECATED_BASE60_SYN..." - Download Execute Delete Pattern in dist/genie.js: "writeFileSync12(scriptFile,`import { createServer } from 'http'; import { execSy..." - Corporate Environment Targeting in plugins/genie/scripts/genie.cjs: "tMode&&(bk.indexOf(t)!==-1||wk.test" - Download Execute Delete Pattern in plugins/genie/scripts/genie.cjs: "exec)});var Uu={};hr(Uu,{findWishForTask:()=>aD,getWishStatus:()=>oD,getWishTask..." - Corporate Environment Targeting in plugins/genie/scripts/term.cjs: "tMode&&(bb.indexOf(t)!==-1||Db.test" IOCs: - ipv6: 1::, fe80::, 2::, 8::, 9:: - urls: https://docs.automagik.dev/genie, https://react.dev/link/special-props, https://react.dev/link/invalid-hook-call, https://react.dev/link/new-jsx-transform, https://react.dev/link/rules-of-hooks (+23 more) - domains: docs.automagik.dev, yaml.org, this.ph, this.si, api.nc (+12 more) - emails: hildebrandt@plus-innovations.com - sha256Hashes: c19c4574d09e60636425f9555d3b63e8cb5c9d63ceb1c982c35e5a310c97a839, 834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812, 87259b0d1d017ad8b8daa7c177c2d9f0940e457f8dd1ab3abab3681e433ca88e - payloadFileHash: d81a594bfce94bcc88b7c50968f4952df1df3307a8e26f76537f8bec03405d05

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@automagik/genie4.260423.10 (affected)

References

advisory
vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›