VDB

GCVE-110-OSM-2026-5121

GCVE-110-OSM-2026-5121
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 1, 2026
Exfiltrates Alibaba Cloud RAM role credentials and instance metadata to a hardcoded attacker IP (101.35.44.248) via HTTP POST in the postinstall hook. Targets cloud-hosted environments by probing 17 Alibaba Cloud IMDS paths including the RAM security credentials endpoint, and additionally collects filtered environment variables, process list, DNS config, and network interfaces. **Trigger** (`postinstall`): executes `node postinstall.js` at install time; all output suppressed, errors silently swallowed to avoid disrupting `npm install`. **Cloud probe**: iterates 17 Alibaba Cloud IMDS paths via `http://100.100.100.200` (3s timeout each), including `/latest/meta-data/ram/security-credentials/` for IAM role tokens, instance-id, region, VPC, public IP, and user-data. **Env collection**: snapshots all process environment variables whose keys match `/npm|fc_|aliyun|alibaba|cloud|region|account|instance|container|sigma|arms/i`. **System collection**: OS hostname, platform, arch, uptime, username, homedir, cwd, network interfaces; executes `cat /etc/hostname`, `cat /etc/os-release`, `cat /etc/resolv.conf`, `ps aux | head -20` via `execSync`. **Exfiltration**: JSON-serializes full report object and HTTP POSTs to `const CALLBACK_HOST = 'http://101.35.44.248'` (5s timeout). **Source**: `CALLBACK_HOST` and `METADATA_BASE` are hardcoded literals in `postinstall.js` (SHA256: `864bd25ec244920e83c6768323a8a5ec4e77f73813e42e3c6efc8c7e11aa460b`).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownjingmeideshishi1.0.5 (affected)

References

vendor

Browse GCVE Records

73,196 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›