VDB

GCVE-110-OSM-2026-4670

GCVE-110-OSM-2026-4670
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 24, 2026
This package is a sophisticated supply chain infostealer masquerading as an Auth0 utility library. Upon installation, it automatically executes via postinstall hook and conducts comprehensive reconnaissance of cloud development environments. The malware specifically targets CI/CD pipelines and cloud-native applications by harvesting AWS/GCP/Azure metadata service credentials, CI/CD environment variables, project context, and development environment details. Data is exfiltrated in chunked fragments to a Cloudflare Workers domain. This represents a targeted attack against cloud development workflows and represents significant risk to organizations using cloud infrastructure, as stolen credentials could enable lateral movement and privilege escalation in cloud environments. Entrypoint: index.js (install-hook: node index.js) Payload: index.js Exfil: https://dep-update-ci-02.lapxa354.workers.dev/ (custom-c2, recovery: decoded in index.js) Execution: Automatic via postinstall script (node index.js) with 60-second activation delay. Self-contained single-stage payload requiring no additional downloads. Reconnaissance Capabilities: - Project Discovery: Recursively searches for package.json files to extract project names, versions, repositories, and private registry configurations - CI/CD Harvesting: Targets 30+ environment variables from GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps, Jenkins, CircleCI, TravisCI, and other platforms - Network Mapping: DNS resolution of 25+ internal domains including Kubernetes services, corporate domains, and cloud-internal hostnames Cloud Credential Theft: - AWS: Exploits metadata service (169.254.169.254, obfuscated as 2852039166) using both IMDSv2 tokens and IMDSv1 fallback to steal IAM role credentials and session tokens - GCP: Harvests compute metadata and service account access tokens via metadata API - Azure: Extracts VM information and managed identity OAuth tokens via Instance Metadata Service (IMDS) System Profiling: - Host information: hostname, username, architecture, uptime, process count, local IP addresses - Development environment fingerprinting: detects presence of .ssh, .aws, .kube, .docker, .vscode, .npm, .cargo directories - Git configuration extraction with partial email masking - File system structure analysis of current working directory and parent directories Exfiltration Method: - Destination: https://dep-update-ci-02.lapxa354.workers.dev/ - Protocol: HTTP GET requests with data embedded in URL paths - Format: sid-{6char_session_id}/part-{chunk_num}-of-{total_chunks}/{45char_base64_data} - Timing: 250ms delays between chunk transmissions to evade detection - Encoding: Base64 with URL-safe character substitutions (+ → -, / → _, = removed) Data Compiled: All stolen information is concatenated with ** delimiters and includes: hostname, username, architecture, cloud provider, path context, system verdict, project details, CI/CD evidence, project files, AWS metadata, Git user info, development environment profile, and internal DNS results. Key findings: - Decoded Base64 Content in index.js - Shell Command Execution in index.js: "require('child_process')" - Data Encoding for Exfiltration in index.js: "Buffer.from(_rawPayload).toString('base64')" - Git Configuration Access in index.js: ".gitconfig" - Whitespace-Padded Hidden Payload in index.js: "; const" IOCs: - domains: kubernetes.io, dep-update-ci-02.lapxa354.workers.dev - urls: https://dep-update-ci-02.lapxa354.workers.dev/ - payloadFileHash: 1d9384cb0cbf230c2e5fc736e349f0a0db4e5696b46b4c0c88c23c96ed105173 Decoded/deobfuscated IOCs: - urls: https://dep-update-ci-02.lapxa354.workers.dev/ - domains: dep-update-ci-02.lapxa354.workers.dev

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownauth0-templates-utilsall (affected)

Browse GCVE Records

72,580 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›