VDB
GCVE-110-OSM-2026-5899
GCVE-110-OSM-2026-5899
Advisory PublishedCVSS 9.6/10
This package is a confirmed instance of the chai-max stealer associated with the DPRK/Lazarus Contagious Interview campaign. The obfuscated string array in `index` contains unambiguous indicators: Solana wallet theft (`solana_id.`, `xodus/exod`, `xodus.wall`), browser credential harvesting paths (`/Login Data`, `User Data`, `cookies`, Chrome/Brave/Firefox/Opera profile paths), hidden staging directories (`/.n3`, `/.n3/tp`, `/.npl`), and a C2 IP fragment (`http://144...42:1224`). The package is a single-version, newly created (April 18 2025) npm package published by a brand-new account (`ancientdarkknight227`) with only two packages, both likely malicious, masquerading as a legitimate EJS layout utility. The `chai-max-attack` combo rule firing alongside four independent knownMalware rule hits makes this unambiguous.
OBFUSCATION
- String Array Obfuscation in index: "['homedir','statSync','dus/exodus','MUDpy','WgvIa','iejwg','createRead','trace',..."
ADDITIONAL FINDINGS
- Chai-Max Cryptocurrency Stealer in index: ":1224"
- Chai-Max Wallet Theft Indicators in index: "solana_id."
- Chai-Max Staging Directories in index: "'/.n3'"
- Chai-Max Campaign Indicators in index: "'/uploads'"
PAYLOAD FILES
index
INDICATORS (IOCs)
- urls: http://144
- payloadFileHash: d0a4a0640301582381820e84c0dda3651ff9646e3a0d8bfa479f9bd599b199ef
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | express-ejs-frame | 0.12.5 (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.