VDB

GCVE-110-OSM-2026-5291

GCVE-110-OSM-2026-5291
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 4, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, install-time execution. Entrypoint: scripts/post-install.js (install-hook: node scripts/post-install.js) Exfil: http://127.0.0.1:4096/session (reconstructed, recovery: reconstructed in service/modules/opencode-service.js) Payload: service/worker.js Secondary files: service/rongcloud/openclaw-client.js, cli.js Key findings: - Download Execute Delete Pattern in cli.js: "writeFileSync(serviceFile, serviceContent); exec('systemctl daemon-reload..." - Reconstructed Obfuscated URL in service/modules/opencode-service.js: "http://127.0.0.1:4096/session" - Download Execute Delete Pattern in service/modules/service-manager.js: "execCommand(`systemctl disable ${this.serviceName}`); const serviceFile = `..." - Environment Variable Exfiltration in service/modules/system-config.js: "process.env.DM_SERVER_URL || 'https://newsradar.dreamdt.cn/im'; this.configs..." - Stealth Background Process Spawning in service/rongcloud/openclaw-client.js: "spawn('openclaw', ['gateway'], { shell: true, windowsHide: true, ..." IOCs: - ipv4: 1.17.0.0, 2.0.0.0, 1.0.0.0 - urls: http://127.0.0.1:$PORT/, http://127.0.0.1:$port/, https://newsradar.dreamdt.cn/im, https://docs.openclaw.ai, https://docs.rongcloud.cn/platform-chat-api/message/send-private-stream (+1 more) - domains: restart.sh, status.sh, newsradar.dreamdt.cn, docs.rongcloud.cn, api-b.rong-api.com (+3 more) - binaryHashes: bf2cc5fd9a0e07d17309f51f7a6212d73cccb1d3a941dd90115a19f3abfcf707 - payloadFileHash: a24578e8e73ce0488b351d4f7398204f6d086be1163cf628b36e4cc0e8ecc29c Hidden install (secondary package pulled at runtime): - --ignore-scripts [OSM: clean] in scripts/sync-local.js

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownclaw-subagent-serviceall (affected)

References

advisory
vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›