VDB
GCVE-110-OSM-2026-5817
GCVE-110-OSM-2026-5817
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code, install-time execution.
Entrypoint: engine-requirements.js (install-hook: node ./engine-requirements.js)
Exfil: update.me (custom-c2, recovery: plaintext in lib/Socket/socket.js)
Payload: lib/Socket/newsletter.js
Secondary files: lib/Utils/generics.js, lib/Utils/messages-media.js
Key findings:
- Decoded Base64 Content in lib/Socket/newsletter.js
- Suspicious TLD Domain in lib/Defaults/index.d.ts: "https://movanest.xyz"
- Suspicious TLD Domain in lib/Defaults/index.js: "https://movanest.xyz"
- Startup Persistence in lib/Socket/chats.js: ".profile"
- Startup Persistence in lib/Socket/messages-send.js: ".profile"
IOCs:
- ipv4: 131.0.0.0
- urls: https://movanest.xyz/donation, https://wa.me/settings/linked_devices#, https://cdn.malvintech.sbs/file/chJids.json
- domains: i.ibb.co, movanest.xyz, sock.ws, wa.me, creds.me (+5 more)
- emails: 123456789-123345@g.us, 1201111111111@g.us, 16505361212@c.us, server@c.us, 0@c.us (+1 more)
- bitcoinAddresses: 123456789ABCDEFGHJKLMNPQRSTVWXYZ
- sha256Hashes: 142375574d0a587166aae71ebe516437c4a28b73e3695c6ce1f7f9545da8ee6b, f09d96b2f09d978df09d96baf09d978bf09d96bff09d96baf09d9785f09d9785
- payloadFileHash: 7921ff0f4dbe4177589dca05821305794409a5275a6d6d9702392810d55945b6
Decoded/deobfuscated IOCs:
- urls: https://cdn.malvintech.sbs/file/chJids.json
- domains: cdn.malvintech.sbs
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | malvin-baileys | 2.2.5 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.