VDB

GCVE-110-OSM-2026-4811

GCVE-110-OSM-2026-4811
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 27, 2026
Exfiltrates keystrokes, clipboard contents, screen captures, arbitrary files, and Chrome extension data by deploying a custom Go 1.22 RAT ('SStar native agent') fetched at require-time from api.otter-stack.com via a XOR-obfuscated dropper. On macOS the RAT installs a LaunchAgent disguised as Google Update (com.googleupdate.sstaragent); on Linux it installs a systemd user service (sstar-native-agent.service, no root required) with a crontab fallback. Part of a coordinated campaign sharing infrastructure token IobO0YELAu4CJ2oG4iC4W38OxsOtTk8a with sibling package typography-stylecss. **Trigger** (`require-time IIFE`): malicious IIFE appended after legitimate tailwindcss/typography plugin code in `src/index.js`; fires on any `require()` or `import` of the package. No install hook. **Obfuscation**: C2 URL and filenames XOR-encoded with key 0x2a, decoded at runtime via `TextDecoder`. **Platform detection**: reads `process.platform` and `process.arch` to select binary. **Download**: fetches binary from `https://api.otter-stack.com/d/IobO0YELAu4CJ2oG4iC4W38OxsOtTk8a/agent?os=<os>&arch=<arch>` — C2 live at analysis time. **Write + spawn**: binary written to `os.tmpdir()/<service-name>` (mode 0o700), spawned detached via `child_process.spawn` + `.unref()`. **Stage-2 RAT — SStar native agent (Go 1.22)**: - Built from `/home/ubuntu/server/agent/` on Ubuntu Linux; deployment token `IobO0YELAu4CJ2oG4iC4W38OxsOtTk8a` baked in via `-ldflags`. - C2: polls `https://api.otter-stack.com/api/telemetry/poll-command`; bidirectional WebSocket (gorilla/websocket); POSTs results to `/api/telemetry/command-result`. - **macOS**: screen capture + interactive control, keylogging, clipboard theft, shell execution, file exfiltration, directory enumeration, Chrome extension collection. LaunchAgent persistence: `~/Library/LaunchAgents/com.googleupdate.sstaragent.plist`. - **Linux** (BN confirmed): shell execution (`/bin/sh -c`), file exfiltration, directory enumeration, Chrome/crypto-wallet extension collection. Persistence: systemd user service `sstar-native-agent.service` + `@reboot` crontab fallback. Keylogging and clipboard are stubs; screen capture disabled at runtime. - Public IP beaconed to `api.ipify.org` on startup.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntw-style-utils0.7.1 (affected)

References

vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›