VDB

GCVE-110-OSM-2026-4747

GCVE-110-OSM-2026-4747
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 26, 2026
Hijacks any consuming application's Node.js runtime by fetching and executing attacker-controlled code from svganchordev.net via the new Function() constructor with full runtime access (require, process, global, Buffer) when the package's default export is invoked. The domain impersonates cdnjs.cloudflare.com URL structure to evade CDN allowlist detection. Nine phantom dependencies (dpapi, sqlite3, node-machine-id) are declared but never imported, concealing the package's true second-stage intent. **Trigger** (call-time): index.js exports getPlugin() as the default export; the RCE chain fires when any consumer calls this function. **Fetch**: constructs URL https://svganchordev.net/icons/110 from module-level literal constants and fetches it with a custom 'bearrtoken: logo' header. **RCE sink**: the JSON response field data.credits is passed as the body of new Function('require','module','exports','__dirname','__filename','console','process','global','Buffer','setTimeout','setInterval','clearTimeout','clearInterval','Promise', data.credits) and executed with the full Node.js runtime context. **CDN impersonation**: a second function setDefaultModule() constructs attacker URLs under cdnjs.svganchordev.net using the identical path prefix cdnjs.cloudflare.com uses (/ajax/libs/font-awesome/6.4.0/svgs/brands/) to impersonate legitimate CDN infrastructure. **Payload**: C2 returned HTTP 502 on all retrieval attempts — second-stage content not confirmed. **Phantom deps**: nine dependencies declared in package.json (request, @primno/dpapi, sqlite3, module-to-cdn, axios, express, socket.io-client, better-sqlite3, node-machine-id) with zero imports in source.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownfe-utils-core1.0.4 (affected)

References

vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›