VDB
GCVE-110-OSM-2026-4811
GCVE-110-OSM-2026-4811
Advisory PublishedCVSS 9.6/10
Exfiltrates keystrokes, clipboard contents, screen captures, arbitrary files, and Chrome extension data by deploying a custom Go 1.22 RAT ('SStar native agent') fetched at require-time from api.otter-stack.com via a XOR-obfuscated dropper. On macOS the RAT installs a LaunchAgent disguised as Google Update (com.googleupdate.sstaragent); on Linux it installs a systemd user service (sstar-native-agent.service, no root required) with a crontab fallback. Part of a coordinated campaign sharing infrastructure token IobO0YELAu4CJ2oG4iC4W38OxsOtTk8a with sibling package typography-stylecss.
**Trigger** (`require-time IIFE`): malicious IIFE appended after legitimate tailwindcss/typography plugin code in `src/index.js`; fires on any `require()` or `import` of the package. No install hook.
**Obfuscation**: C2 URL and filenames XOR-encoded with key 0x2a, decoded at runtime via `TextDecoder`.
**Platform detection**: reads `process.platform` and `process.arch` to select binary.
**Download**: fetches binary from `https://api.otter-stack.com/d/IobO0YELAu4CJ2oG4iC4W38OxsOtTk8a/agent?os=<os>&arch=<arch>` — C2 live at analysis time.
**Write + spawn**: binary written to `os.tmpdir()/<service-name>` (mode 0o700), spawned detached via `child_process.spawn` + `.unref()`.
**Stage-2 RAT — SStar native agent (Go 1.22)**:
- Built from `/home/ubuntu/server/agent/` on Ubuntu Linux; deployment token `IobO0YELAu4CJ2oG4iC4W38OxsOtTk8a` baked in via `-ldflags`.
- C2: polls `https://api.otter-stack.com/api/telemetry/poll-command`; bidirectional WebSocket (gorilla/websocket); POSTs results to `/api/telemetry/command-result`.
- **macOS**: screen capture + interactive control, keylogging, clipboard theft, shell execution, file exfiltration, directory enumeration, Chrome extension collection. LaunchAgent persistence: `~/Library/LaunchAgents/com.googleupdate.sstaragent.plist`.
- **Linux** (BN confirmed): shell execution (`/bin/sh -c`), file exfiltration, directory enumeration, Chrome/crypto-wallet extension collection. Persistence: systemd user service `sstar-native-agent.service` + `@reboot` crontab fallback. Keylogging and clipboard are stubs; screen capture disabled at runtime.
- Public IP beaconed to `api.ipify.org` on startup.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | tw-style-utils | 0.7.1 (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.