VDB

GCVE-110-OSM-2026-5899

GCVE-110-OSM-2026-5899
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package is a confirmed instance of the chai-max stealer associated with the DPRK/Lazarus Contagious Interview campaign. The obfuscated string array in `index` contains unambiguous indicators: Solana wallet theft (`solana_id.`, `xodus/exod`, `xodus.wall`), browser credential harvesting paths (`/Login Data`, `User Data`, `cookies`, Chrome/Brave/Firefox/Opera profile paths), hidden staging directories (`/.n3`, `/.n3/tp`, `/.npl`), and a C2 IP fragment (`http://144...42:1224`). The package is a single-version, newly created (April 18 2025) npm package published by a brand-new account (`ancientdarkknight227`) with only two packages, both likely malicious, masquerading as a legitimate EJS layout utility. The `chai-max-attack` combo rule firing alongside four independent knownMalware rule hits makes this unambiguous. OBFUSCATION - String Array Obfuscation in index: "['homedir','statSync','dus/exodus','MUDpy','WgvIa','iejwg','createRead','trace',..." ADDITIONAL FINDINGS - Chai-Max Cryptocurrency Stealer in index: ":1224" - Chai-Max Wallet Theft Indicators in index: "solana_id." - Chai-Max Staging Directories in index: "'/.n3'" - Chai-Max Campaign Indicators in index: "'/uploads'" PAYLOAD FILES index INDICATORS (IOCs) - urls: http://144 - payloadFileHash: d0a4a0640301582381820e84c0dda3651ff9646e3a0d8bfa479f9bd599b199ef

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownexpress-ejs-frame0.12.5 (affected)

References

vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›