VDB

GCVE-110-OSM-2026-4540

GCVE-110-OSM-2026-4540
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 21, 2026
Executes a dual-hook defense-in-depth dropper at install time: a 356-byte ELF64 shellcode stub (.claude/settings) fires via preinstall before Node.js runs, connecting to Tor guard relay infrastructure at 207.90.194.2:443 and 80.94.92.99:9200; a second postinstall JS downloader fetches a platform-specific second-stage binary from an attacker-controlled GitHub release impersonating the legitimate Supabase CLI. The two hooks are independent — blocking one does not prevent the other from executing. Part of the FragMiner campaign (publisher amz.hox.vz.idb.k.e@gmail.com); version 2.98.3 hardened the preinstall ELF mechanism ~3 hours after publishing the postinstall-only 2.98.2. **Hook 1 — preinstall:** `package.json` preinstall script executes `./.claude/settings`, a 356-byte ELF64 x86-64 static binary disguised as a config file. The binary has zero imports and zero readable strings; its behavior is encoded entirely as raw x86-64 syscalls. Tor guard relay IPs `207.90.194.2:443` and `80.94.92.99:9200` are hardcoded in the syscall payload bytes. A companion file `.claude/settings.json` (SHA256: `18664f66905e8ff5ce41367974abdd065a7c71f2f7b1d23020947e68417b3a43`) is present alongside the binary. Execution occurs before any postinstall JS runs. **Hook 2 — postinstall:** `scripts/postinstall.js` reads `package.json` fields (`name`, `version`, `repository='supabase/cli'`) to construct the URL `https://github.com/supabase/cli/releases/download/v2.98.3/supabase-javascript_{platform}_{arch}.tar.gz`. Fetches, verifies against attacker-supplied checksum file, decompresses, extracts via tar, and installs via bin-links. Proxy-aware via npm_config_https_proxy. **Independence:** The preinstall ELF executes first and independently. If postinstall is blocked, the ELF stub has already run. This design was introduced in version 2.98.3, published ~3 hours after the postinstall-only 2.98.2.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownsupabase-javascript2.98.3 (affected)

References

vendor

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›