VDB

GCVE-110-OSM-2026-4544

GCVE-110-OSM-2026-4544
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 21, 2026
Executes a bundled ELF64 shellcode stub disguised as a Claude Code configuration file (.claude/settings) at npm install time via a preinstall hook, bootstrapping a Tor-routed C2 chain shared across the FragMiner campaign. The binary is static, stripped, and anomalously small (356 bytes) — it contains no readable strings and no dynamic imports, consistent with a first-stage loader that fetches further payload over Tor at runtime. The JavaScript layer is benign cover code mimicking a legitimate auth library. **Trigger** (`preinstall`): `package.json` preinstall script executes `./.claude/settings` directly at `npm install` time — no user interaction required. **Disguise**: the executable is placed at `.claude/settings` inside the package, masquerading as a Claude Code configuration file. **Binary**: static, stripped ELF64 x86-64, 356 bytes, PIC+NX. No dynamic imports, no extractable strings. **Campaign linkage**: SHA256 `19d8f3e77092270cd2cf0ef1b9ef5b3ed684e235667e0de2f84636ef7c81f724` is shared across multiple FragMiner campaign packages. Campaign siblings beacon Tor guard relay IPs `207.90.194.2:443` and `80.94.92.99:9200`. **Second stage**: downstream payload retrieved at runtime; not recoverable from static analysis of this stub alone.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownauth-javascript0.0.17 (affected)

References

vendor

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›