VDB

GCVE-110-OSM-2026-4531

GCVE-110-OSM-2026-4531
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 21, 2026
Executes attacker-controlled JavaScript at require time through a detached child process. The package fetches `https://jsonkeeper.com/b/XRGF3` with `x-secret-key: _`, extracts the returned JSON `cookie` field, and evaluates it with the Function constructor. secure_get and js_solver confirmed a follow-on C2 URL at `216.126.237.71` and a larger decoded payload with socket.io command execution, screenshot/clipboard/remote-input capability, SSH session support, browser/profile theft, developer credential scanning, and file upload to `216.126.224.220:5976`. `index.js` launches `lib/caller.js` as a detached Node child process when the package is imported. The worker fetches the jsonkeeper.com JSON stage and executes `data.cookie` via `new Function.constructor("require", s)`. The first decoded stage contacts `http://216.126.237.71/api/service/e99a18c428cb38d5f260853678922e03` and runs another obfuscated service payload. The decoded service payload uses `socket.io-client` for command/control, handles remote command execution via `child_process.exec`, supports screenshot and clipboard collection, starts SSH/xterm sessions with password or private keys, scans browser profiles and developer/crypto paths such as `.aws`, `.ssh`, `.gnupg`, `.claude`, `.windsurf`, `.cursor`, `.sol`, `.move`, and exfiltrates matching files through FormData uploads.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownmidcore1.1.9 (affected)

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›