VDB

GCVE-110-OSM-2026-5270

GCVE-110-OSM-2026-5270
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 4, 2026
This package is a confirmed DPRK/Lazarus (chai-max/Contagious Interview) stealer. The postinstall hook (`node utils.mjs`) immediately spawns a detached background process and installs `payload.js` as a persistent agent under `~/.local/share/MicrosoftSystem64/payload.js` (or platform equivalents), registering systemd services, launchd plists, or Windows scheduled tasks to survive reboots. The heavily obfuscated `payload.js` implements a full RAT: it scans Chrome/Brave/Firefox/Safari cookie and login databases, enumerates 40+ crypto wallet extensions (MetaMask, Phantom, Exodus, Ledger, etc.) and desktop wallet apps, exfiltrates collected data to an attacker-controlled HuggingFace dataset repository (`https://huggingface.co/api/repos/create`) and a fallback direct-upload server decoded from XOR-obfuscated config. The `chai-max-wallet-theft` and `chai-max-indicators` rules match known DPRK campaign signatures, the static score is 100/malicious, and the applied combos include `chai-max-attack`, `obfuscated-exfil`, and `install-hook-exfil`. Entrypoint: utils.mjs (install-hook: node utils.mjs) Exfil: https://huggingface.co/api/repos/create (reconstructed, recovery: reconstructed in payload.js) Payload: payload.js Key findings: - Cryptocurrency Wallet Theft in payload.js: "wallet.dat" - Browser Data Theft in payload.js: "Chrome\x20Beta'),_0x441ec5['default']['join'](_0x416f6b,'Library','Application\x..." - Download Execute Delete Pattern in payload.js: "writeFile','vivaldi','\x0aExec=','unlink" - Chai-Max Wallet Theft Indicators in payload.js: ".exodus" - Reconstructed Obfuscated URL in payload.js: "https://huggingface.co/api/repos/create" IOCs: - ipv4: 4.0.0.0 - domains: matteocollina.com, Crypto.com, huggingface.co - emails: hello@matteocollina.com - urls: https://huggingface.co/api/repos/create - payloadFileHash: bba783edaf27002bea59923de29c9b7cac11c8b43caa21c023fa1c4af70abe3c

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownobfus-jsxyall (affected), all (affected)

References

vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›