VDB
GCVE-110-OSM-2026-5121
GCVE-110-OSM-2026-5121
Advisory PublishedCVSS 8.8/10
Exfiltrates Alibaba Cloud RAM role credentials and instance metadata to a hardcoded attacker IP (101.35.44.248) via HTTP POST in the postinstall hook. Targets cloud-hosted environments by probing 17 Alibaba Cloud IMDS paths including the RAM security credentials endpoint, and additionally collects filtered environment variables, process list, DNS config, and network interfaces.
**Trigger** (`postinstall`): executes `node postinstall.js` at install time; all output suppressed, errors silently swallowed to avoid disrupting `npm install`.
**Cloud probe**: iterates 17 Alibaba Cloud IMDS paths via `http://100.100.100.200` (3s timeout each), including `/latest/meta-data/ram/security-credentials/` for IAM role tokens, instance-id, region, VPC, public IP, and user-data.
**Env collection**: snapshots all process environment variables whose keys match `/npm|fc_|aliyun|alibaba|cloud|region|account|instance|container|sigma|arms/i`.
**System collection**: OS hostname, platform, arch, uptime, username, homedir, cwd, network interfaces; executes `cat /etc/hostname`, `cat /etc/os-release`, `cat /etc/resolv.conf`, `ps aux | head -20` via `execSync`.
**Exfiltration**: JSON-serializes full report object and HTTP POSTs to `const CALLBACK_HOST = 'http://101.35.44.248'` (5s timeout).
**Source**: `CALLBACK_HOST` and `METADATA_BASE` are hardcoded literals in `postinstall.js` (SHA256: `864bd25ec244920e83c6768323a8a5ec4e77f73813e42e3c6efc8c7e11aa460b`).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | jingmeideshishi | 1.0.5 (affected) | — |
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.