VDB
GCVE-110-OSM-2026-4759
GCVE-110-OSM-2026-4759
Advisory PublishedCVSS 8.8/10
Exfiltrates system reconnaissance (hostname, username, OS platform, architecture, Node.js version, working directory) to attacker-controlled C2 at 213.218.160.189:8080 during preinstall, then downloads and executes a second-stage payload as a detached persistent Node.js process. Cross-platform fallbacks guarantee execution via curl+sh (Linux/macOS) or PowerShell IEX (Windows). Impersonates the legitimate iZiSwap concentrated liquidity DEX SDK to target DeFi and Web3 developers.
**Trigger** (`preinstall`): executes `node scripts/postinstall.js` at install time. **Collection**: reads `process.platform`, `os.arch()`, `os.hostname()`, `os.userInfo().username`, `process.version`, and `process.cwd()`, then JSON-encodes and base64-encodes the bundle. **Exfiltration**: sends collected data via HTTP GET to http://213.218.160.189:8080/s with the payload as a base64 query parameter; C2 URL is concealed in the script via a char-code integer array. **Second-stage execution**: the HTTP response body is written to `os.tmpdir()/.npm-cache/v-<timestamp>.js` and spawned as a detached Node.js process (`stdio: 'ignore'`, `unref()`), persisting after the parent install exits; temp file is deleted after 60 seconds. **Cross-platform fallbacks** (in `package.json` `preinstall`): if Node fails, `curl -fsSL` fetches http://213.218.160.189:8080/sh and executes via `/tmp/.n` (Linux/macOS); PowerShell IEX fetches http://213.218.160.189:8080/ps (Windows).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @izumiswap/sdk | — | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.