VDB

GCVE-110-OSM-2026-5794

GCVE-110-OSM-2026-5794
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 12, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, obfuscated code. Entrypoint: index.js (main: index.js) Exfil: http://unix:SOCKET:PATH` (custom-c2, recovery: plaintext in request.js) Payload: lib/callers.js Key findings: - Stealth Background Process Spawning in index.js: "spawn("node", [script, JSON.stringify(args)], { detached: true, stdio: "..." - Environment Variable Exfiltration in lib/callers.js: "process.env.DEV_SECRET_KEY; const v = process.env.DEV_SECRET_VALUE; let ..." - Global Variable Shadowing in lib/callers.js: "const process = {" - Fetch and Eval/Exec in lib/callers.js: "axios.get(src, { headers: { [k]: v } })).data.Cookie; const handler = new..." - Environment Variable Exfiltration in request.js: "process.env.NODE_DEBUG && /\brequest\b/.test(process.env.NODE_DEBUG) function de..." IOCs: - urls: http://localproxy.com, http://service.com/upload, http://some.server.com/, http://www.ietf.org/rfc/rfc1738.txt, http://how2ssl.com/articles/working_with_pem_files/ (+13 more) - domains: gitter.im, localproxy.com, service.com, www.ietf.org, how2ssl.com (+6 more) - payloadFileHash: 2fd0ceb7b81d7b8ce9bc75aac88b67182d01b216767d8a25512025ec4ca99c07

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownreq-parmas-validall (affected)

References

vendor

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›