VDB
GCVE-110-OSM-2026-5270
GCVE-110-OSM-2026-5270
Advisory PublishedCVSS 9.6/10
This package is a confirmed DPRK/Lazarus (chai-max/Contagious Interview) stealer. The postinstall hook (`node utils.mjs`) immediately spawns a detached background process and installs `payload.js` as a persistent agent under `~/.local/share/MicrosoftSystem64/payload.js` (or platform equivalents), registering systemd services, launchd plists, or Windows scheduled tasks to survive reboots. The heavily obfuscated `payload.js` implements a full RAT: it scans Chrome/Brave/Firefox/Safari cookie and login databases, enumerates 40+ crypto wallet extensions (MetaMask, Phantom, Exodus, Ledger, etc.) and desktop wallet apps, exfiltrates collected data to an attacker-controlled HuggingFace dataset repository (`https://huggingface.co/api/repos/create`) and a fallback direct-upload server decoded from XOR-obfuscated config. The `chai-max-wallet-theft` and `chai-max-indicators` rules match known DPRK campaign signatures, the static score is 100/malicious, and the applied combos include `chai-max-attack`, `obfuscated-exfil`, and `install-hook-exfil`.
Entrypoint: utils.mjs (install-hook: node utils.mjs)
Exfil: https://huggingface.co/api/repos/create (reconstructed, recovery: reconstructed in payload.js)
Payload: payload.js
Key findings:
- Cryptocurrency Wallet Theft in payload.js: "wallet.dat"
- Browser Data Theft in payload.js: "Chrome\x20Beta'),_0x441ec5['default']['join'](_0x416f6b,'Library','Application\x..."
- Download Execute Delete Pattern in payload.js: "writeFile','vivaldi','\x0aExec=','unlink"
- Chai-Max Wallet Theft Indicators in payload.js: ".exodus"
- Reconstructed Obfuscated URL in payload.js: "https://huggingface.co/api/repos/create"
IOCs:
- ipv4: 4.0.0.0
- domains: matteocollina.com, Crypto.com, huggingface.co
- emails: hello@matteocollina.com
- urls: https://huggingface.co/api/repos/create
- payloadFileHash: bba783edaf27002bea59923de29c9b7cac11c8b43caa21c023fa1c4af70abe3c
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | obfus-jsxy | all (affected), all (affected) | — |
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.