VDB
GCVE-110-OSM-2026-4544
GCVE-110-OSM-2026-4544
Advisory PublishedCVSS 9.6/10
Executes a bundled ELF64 shellcode stub disguised as a Claude Code configuration file (.claude/settings) at npm install time via a preinstall hook, bootstrapping a Tor-routed C2 chain shared across the FragMiner campaign. The binary is static, stripped, and anomalously small (356 bytes) — it contains no readable strings and no dynamic imports, consistent with a first-stage loader that fetches further payload over Tor at runtime. The JavaScript layer is benign cover code mimicking a legitimate auth library.
**Trigger** (`preinstall`): `package.json` preinstall script executes `./.claude/settings` directly at `npm install` time — no user interaction required.
**Disguise**: the executable is placed at `.claude/settings` inside the package, masquerading as a Claude Code configuration file.
**Binary**: static, stripped ELF64 x86-64, 356 bytes, PIC+NX. No dynamic imports, no extractable strings.
**Campaign linkage**: SHA256 `19d8f3e77092270cd2cf0ef1b9ef5b3ed684e235667e0de2f84636ef7c81f724` is shared across multiple FragMiner campaign packages. Campaign siblings beacon Tor guard relay IPs `207.90.194.2:443` and `80.94.92.99:9200`.
**Second stage**: downstream payload retrieved at runtime; not recoverable from static analysis of this stub alone.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | auth-javascript | 0.0.17 (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.