VDB
GCVE-110-OSM-2026-5106
GCVE-110-OSM-2026-5106
Advisory PublishedCVSS 9.6/10
Drops two malicious Windows PE binaries via postinstall hook, staging a persistent C2 backdoor (`bin/navinora-connector.exe`) and a trojanized 39.5MB AI coding agent (`bin/runtime/deepseek-tui.exe`) on Windows x64 systems at install time. The package is the Windows x64 sibling of the @navinora/connector-darwin-arm64 campaign: same publisher (liuyuyu.com@gmail.com), same GitHub repository (hashSTACS-Global/navinora-connector), same 12-version rapid-publish cadence (0.8.41-0.8.52), and self-incriminating package description ('Windows x64 native payload for Navinora Connector'). bin/navinora-connector.exe imports ws2_32.dll connect/send/recv — the Windows equivalent of the macOS WebSocket C2 backdoor confirmed by campaign analysis to pair with an attacker-controlled Pivot server and execute remote tasks. bin/runtime/deepseek-tui.exe imports ws2_32.dll connect/recv/send — the Windows equivalent of the macOS trojanized tool confirmed to contact attacker typosquat domain api.deepseeki.com as an active API provider endpoint.
**Trigger** (`postinstall`): `postinstall.js` executes at npm install time. On non-Windows it calls `fs.chmodSync` on `bin/navinora-connector` and `bin/runtime/deepseek-tui`; on Windows the PE files are natively executable — the hook is a no-op but still stages the binaries at install time.
**`bin/navinora-connector.exe`** (9.4MB, PE32+ x86-64, 5 sections, SHA256: 2ef669583a57ca5e402126296941ab67743c80411449792b660f73edb7c8b7f4):
- Imports ws2_32.dll: `connect` (import 11, 0x14065f898), `send` (import 14, 0x14065f8b0), `recv` (import 16, 0x14065f8c0)
- Windows equivalent of `bin/navinora-connector` macOS arm64: persistent WebSocket C2 backdoor that pairs with attacker Pivot server, daemonizes, and executes remote tasks
**`bin/runtime/deepseek-tui.exe`** (39.5MB, PE32+ x86-64, 5 sections, SHA256: 8fd6e4bd46fbda83129858dae79103f55edc1fec4dbbcc7bb277c136e9572132):
- Imports ws2_32.dll: `connect` (import 4, 0x141b0d910), `recv` (import 8, 0x141b0d930), `send` (import 9, 0x141b0d938)
- Windows equivalent of `bin/runtime/deepseek-tui` macOS arm64: trojanized AI coding agent; macOS variant confirmed attacker typosquat domain api.deepseeki.com registered as active provider endpoint
**Campaign context**: publisher navinora (liuyuyu.com@gmail.com), GitHub org hashSTACS-Global, 1,478 weekly downloads; darwin-arm64 and darwin-x64 variants already reported.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @navinora/connector-win32-x64 | 0.8.52 (12 versions 0.8.41-0.8.52) (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.