VDB
GCVE-110-OSM-2026-4805
GCVE-110-OSM-2026-4805
Advisory PublishedCVSS 8.8/10
This package is a typosquatting supply-chain attack masquerading as a Vue 3 helper. Exfils data to a custom domain controlled by the attacker.
Entrypoint: postinstall-run.cjs (install-hook: node ./postinstall-run.cjs)
Exfil: https://npmjs.it.com/ (custom-c2, recovery: decoded in tooling-bootstrap.cjs)
Payload: tooling-bootstrap.cjs
Key findings:
The postinstall hook executes `tooling-bootstrap.cjs`, which decodes a large base64 payload (`BOOTSTRAP_B64`) at runtime to avoid static detection. The decoded payload is a full C2 RAT agent that registers the victim machine at `https://npmjs.it.com/api/register` (a lookalike domain designed to appear legitimate), collects hostname, username, and OS details, polls for tasks at `/api/task/`, executes arbitrary shell commands via `cmd.exe` or `/bin/sh`, exfiltrates file contents via `/api/file/`, and reports results back to the C2. The package additionally checks for specific sentinel files (e.g., `src/pages/GameAggregator/GameAggrBusinessPage/index.tsx`) to confirm it is running in a targeted victim project, indicating a targeted supply-chain attack rather than opportunistic malware. Stealth mechanisms include detached process spawning with `stdio: 'ignore'`, `windowsHide: true`, and the entire payload hidden behind multiple layers of base64 encoding.
IOCs:
- urls: https://npmjs.it.com/
- domains: npmjs.it.com
- payloadFileHash: 611d046e90549a66bed104e3039df93ff33a7618e5c8bcc285d788c6095f7620
Decoded/deobfuscated IOCs:
- urls: https://npmjs.it.com/
- domains: npmjs.it.com
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | vue-compiler-sfc-plugin | all (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.