VDB

GCVE-110-OSM-2026-4805

GCVE-110-OSM-2026-4805
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 26, 2026
This package is a typosquatting supply-chain attack masquerading as a Vue 3 helper. Exfils data to a custom domain controlled by the attacker. Entrypoint: postinstall-run.cjs (install-hook: node ./postinstall-run.cjs) Exfil: https://npmjs.it.com/ (custom-c2, recovery: decoded in tooling-bootstrap.cjs) Payload: tooling-bootstrap.cjs Key findings: The postinstall hook executes `tooling-bootstrap.cjs`, which decodes a large base64 payload (`BOOTSTRAP_B64`) at runtime to avoid static detection. The decoded payload is a full C2 RAT agent that registers the victim machine at `https://npmjs.it.com/api/register` (a lookalike domain designed to appear legitimate), collects hostname, username, and OS details, polls for tasks at `/api/task/`, executes arbitrary shell commands via `cmd.exe` or `/bin/sh`, exfiltrates file contents via `/api/file/`, and reports results back to the C2. The package additionally checks for specific sentinel files (e.g., `src/pages/GameAggregator/GameAggrBusinessPage/index.tsx`) to confirm it is running in a targeted victim project, indicating a targeted supply-chain attack rather than opportunistic malware. Stealth mechanisms include detached process spawning with `stdio: 'ignore'`, `windowsHide: true`, and the entire payload hidden behind multiple layers of base64 encoding. IOCs: - urls: https://npmjs.it.com/ - domains: npmjs.it.com - payloadFileHash: 611d046e90549a66bed104e3039df93ff33a7618e5c8bcc285d788c6095f7620 Decoded/deobfuscated IOCs: - urls: https://npmjs.it.com/ - domains: npmjs.it.com

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownvue-compiler-sfc-pluginall (affected)

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›