VDB
GCVE-110-OSM-2026-4670
GCVE-110-OSM-2026-4670
Advisory PublishedCVSS 9.6/10
This package is a sophisticated supply chain infostealer masquerading as an Auth0 utility library. Upon installation, it automatically executes via postinstall hook and conducts comprehensive reconnaissance of cloud development environments. The malware specifically targets CI/CD pipelines and cloud-native applications by harvesting AWS/GCP/Azure metadata service credentials, CI/CD environment variables, project context, and development environment details. Data is exfiltrated in chunked fragments to a Cloudflare Workers domain. This represents a targeted attack against cloud development workflows and represents significant risk to organizations using cloud infrastructure, as stolen credentials could enable lateral movement and privilege escalation in cloud environments.
Entrypoint: index.js (install-hook: node index.js)
Payload: index.js
Exfil: https://dep-update-ci-02.lapxa354.workers.dev/ (custom-c2, recovery: decoded in index.js)
Execution: Automatic via postinstall script (node index.js) with 60-second activation delay. Self-contained single-stage payload requiring no additional downloads.
Reconnaissance Capabilities:
- Project Discovery: Recursively searches for package.json files to extract project names, versions, repositories, and private registry configurations
- CI/CD Harvesting: Targets 30+ environment variables from GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps, Jenkins, CircleCI, TravisCI, and other
platforms
- Network Mapping: DNS resolution of 25+ internal domains including Kubernetes services, corporate domains, and cloud-internal hostnames
Cloud Credential Theft:
- AWS: Exploits metadata service (169.254.169.254, obfuscated as 2852039166) using both IMDSv2 tokens and IMDSv1 fallback to steal IAM role credentials and session tokens
- GCP: Harvests compute metadata and service account access tokens via metadata API
- Azure: Extracts VM information and managed identity OAuth tokens via Instance Metadata Service (IMDS)
System Profiling:
- Host information: hostname, username, architecture, uptime, process count, local IP addresses
- Development environment fingerprinting: detects presence of .ssh, .aws, .kube, .docker, .vscode, .npm, .cargo directories
- Git configuration extraction with partial email masking
- File system structure analysis of current working directory and parent directories
Exfiltration Method:
- Destination: https://dep-update-ci-02.lapxa354.workers.dev/
- Protocol: HTTP GET requests with data embedded in URL paths
- Format: sid-{6char_session_id}/part-{chunk_num}-of-{total_chunks}/{45char_base64_data}
- Timing: 250ms delays between chunk transmissions to evade detection
- Encoding: Base64 with URL-safe character substitutions (+ → -, / → _, = removed)
Data Compiled: All stolen information is concatenated with ** delimiters and includes: hostname, username, architecture, cloud provider, path context, system verdict, project details, CI/CD evidence, project files, AWS metadata, Git user info, development environment profile, and internal DNS results.
Key findings:
- Decoded Base64 Content in index.js
- Shell Command Execution in index.js: "require('child_process')"
- Data Encoding for Exfiltration in index.js: "Buffer.from(_rawPayload).toString('base64')"
- Git Configuration Access in index.js: ".gitconfig"
- Whitespace-Padded Hidden Payload in index.js: ";
const"
IOCs:
- domains: kubernetes.io, dep-update-ci-02.lapxa354.workers.dev
- urls: https://dep-update-ci-02.lapxa354.workers.dev/
- payloadFileHash: 1d9384cb0cbf230c2e5fc736e349f0a0db4e5696b46b4c0c88c23c96ed105173
Decoded/deobfuscated IOCs:
- urls: https://dep-update-ci-02.lapxa354.workers.dev/
- domains: dep-update-ci-02.lapxa354.workers.dev
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | auth0-templates-utils | all (affected) | — |
Browse GCVE Records
72,580 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.