VDB

GCVE-110-OSM-2026-4759

GCVE-110-OSM-2026-4759
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 26, 2026
Exfiltrates system reconnaissance (hostname, username, OS platform, architecture, Node.js version, working directory) to attacker-controlled C2 at 213.218.160.189:8080 during preinstall, then downloads and executes a second-stage payload as a detached persistent Node.js process. Cross-platform fallbacks guarantee execution via curl+sh (Linux/macOS) or PowerShell IEX (Windows). Impersonates the legitimate iZiSwap concentrated liquidity DEX SDK to target DeFi and Web3 developers. **Trigger** (`preinstall`): executes `node scripts/postinstall.js` at install time. **Collection**: reads `process.platform`, `os.arch()`, `os.hostname()`, `os.userInfo().username`, `process.version`, and `process.cwd()`, then JSON-encodes and base64-encodes the bundle. **Exfiltration**: sends collected data via HTTP GET to http://213.218.160.189:8080/s with the payload as a base64 query parameter; C2 URL is concealed in the script via a char-code integer array. **Second-stage execution**: the HTTP response body is written to `os.tmpdir()/.npm-cache/v-<timestamp>.js` and spawned as a detached Node.js process (`stdio: 'ignore'`, `unref()`), persisting after the parent install exits; temp file is deleted after 60 seconds. **Cross-platform fallbacks** (in `package.json` `preinstall`): if Node fails, `curl -fsSL` fetches http://213.218.160.189:8080/sh and executes via `/tmp/.n` (Linux/macOS); PowerShell IEX fetches http://213.218.160.189:8080/ps (Windows).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@izumiswap/sdk

References

vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›