VDB
GCVE-110-OSM-2026-5428
GCVE-110-OSM-2026-5428
Advisory PublishedCVSS 9.6/10
This package implements a heavily obfuscated WhatsApp session hijacker and credential stealer. The decoded base64 payload contains a literal `rm -rf sessions/dev* sessions/identity* sessions/tcttoken* sessions/lid* sessions/pre* sessions/sender* sessions/session*` shell command executed via `child_process`, which destroys WhatsApp multi-device session state — a known technique to force re-authentication and capture fresh credentials. A second decoded blob references `axios`, `cookie`, `token`, and `Chrome`, consistent with browser credential harvesting. The network layer fetches from externally controlled `BUFFER_URL` and `JSON_URL` endpoints, and the IOC `https://github.com/ruhend2001/maleficent/blob/master/plugins/main/menu.js` names the attacker's payload source explicitly. The package was published four times in under five hours with no source repository, the publisher account is effectively new, and the entire codebase is wrapped in multi-layer obfuscation (hex escapes ×1296, string-array rotation, base64 blobs, debugger anti-analysis traps) — a profile consistent with a WhatsApp bot malware campaign targeting session tokens and browser-stored credentials.
ENTRY
index.js (main: index.js)
OBFUSCATION
- Decoded Base64 Content in index.js
- Decoded Base64 Content in index.js
- Base64 Encoded Payload in index.js: "'AQIIAQACAiIIDFN0cmluZwQBCBBpbmNsdWRlcwgccmF0ZS1vdmVybGltaXQIIlVuc3VwcG9ydGVkIHN..."
- String Array Obfuscation in index.js: "OM[OY-0x1]"
- Obfuscation Pattern: debuggerTraps in index.js: "debugger"
- Obfuscation Pattern: hexHeavy in index.js: "\x27"
- Deobfuscation Skipped (safety guard) in index.js
- recovered 2 urls, 1 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Shell Command Execution in index.js: "require('child_process')"
- Indirect Function Constructor Access in index.js: "['constructor']"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
index.js
INDICATORS (IOCs)
- urls: https://www.axis.co.id, https://github.com/ruhend2001/maleficent/blob/master/plugins/main/menu.js, https://id.pinterest.com/search/pins/?q=_0x2dcca9�Mozilla/5.0
- domains: www.axis.co.id, id.pinterest.com
- payloadFileHash: dcf47d0e9ae17ee7601eff2603e2a3f615d439ff1cec9fd5645bb585b75b72ef
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | mf-system | all (affected) | — |
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.