VDB

GCVE-110-OSM-2026-5901

GCVE-110-OSM-2026-5901
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package implements a video streaming scraper library that embeds a covert proxy/exfiltration infrastructure. The defaultProvider.js file plainly shows hardcoded C2 endpoints — `https://1shows.ru`, `http://2shows.ru`, `http://102.129.165.115:8081`, and `http://45.94.31.146:3000` — used as proxy routes that all traffic is tunneled through, effectively exfiltrating every HTTP request the caller makes through attacker-controlled infrastructure. Two OAST callback endpoints (`aohahjawokysigxyjttsggnxfsrt0whg9.oast.fun` and `vwjsrnklglxpewsuiehxewptw4abj9r5m.oast.fun`) embedded in GitHub Actions workflow YAML files confirm the attacker is actively testing out-of-band DNS/HTTP callbacks to verify execution. The package uses obfuscation across multiple provider files (dynamic atob, eval of decoded strings, XOR encoding) to hide these IOCs, and deobfuscation recovered hidden IPv4 C2 addresses and additional .ru domains. The attacker model is a malicious npm package posing as a streaming provider library that silently proxies all developer HTTP calls through attacker-controlled servers, enabling traffic interception and credential/token theft. ENTRY dist/index.js (main: dist/index.js) DESTINATION - custom-c2: https://1shows.ru (primary, deobfuscated) in dist/providers/defaultProvider.js - custom-c2: http://2shows.ru (deobfuscated) in dist/providers/defaultProvider.js - custom-c2: http://102.129.165.115:8081 (deobfuscated) in dist/providers/defaultProvider.js - custom-c2: http://45.94.31.146:3000 (deobfuscated) in dist/providers/defaultProvider.js - reconstructed: https://api-play-021024.playm4u.xyz/api/tp1rd/playiframe (reconstructed) in dist/providers/m4ufree/scraper.js - reconstructed: https://soaper.live (reconstructed) in dist/providers/soaper/functions.js - custom-c2: 1shows.ru (deobfuscated) in dist/providers/defaultProvider.js - custom-c2: 2shows.ru (deobfuscated) in dist/providers/defaultProvider.js (+43 more) EXFIL - OAST/Interactsh Exfiltration in .github/workflows/71c25223-592c-4abd-bbc8-d1fb0a1aa209.yaml: ".oast.fun" - OAST/Interactsh Exfiltration in .github/workflows/7b92c930-0627-4f5f-ab2a-a7dc5902c1e9.yaml: ".oast.fun" - OAST/Interactsh Exfiltration in .github/workflows/962c1272-723c-42e6-9767-418de3ea4b75.yaml: ".oast.fun" - Corporate Environment Targeting in fuckers/browser-based-movie/megatube/megaJs.js: "tModified[JP]), BD.etag[JP])) { h6.setRequestHeader("If-None-Match" - Data Encoding for Exfiltration in dist/animeProviders/hianime/index.js: "encodeURIComponent(qry" - Data Encoding for Exfiltration in dist/providers/defaultProvider.js: "encodeURIComponent(url)}&requestInit=${encodeURIComponent(JSON.stringify(options" - Data Encoding for Exfiltration in dist/providers/flixhq/rabbit_wasm/old_fucker/rabbit.js: "btoa(" - Data Encoding for Exfiltration in dist/providers/m4ufree/index.js: "encodeURIComponent(payload" (+34 more) OBFUSCATION - IOCs Found in Deobfuscated Code in dist/providers/catflix/index.js - IOCs Found in Deobfuscated Code in dist/providers/defaultProvider.js - IOCs Found in Deobfuscated Code in dist/providers/embed.su/index.js - IOCs Found in Deobfuscated Code in dist/providers/frembed/index.js - IOCs Found in Deobfuscated Code in test.js - Dynamic Base64 Decoding in dist/providers/catflix/index.js: "atob(juiceData." - Dynamic Base64 Decoding in dist/providers/defaultProvider.js: "atob(base64)" - Dynamic Base64 Decoding in dist/providers/embed.su/index.js: "Atob(hashEncode)" (+22 more) ADDITIONAL FINDINGS - Reconstructed Obfuscated URL in dist/providers/m4ufree/scraper.js: "https://api-play-021024.playm4u.xyz/api/tp1rd/playiframe" - Dynamic Code Execution in dist/animeProviders/hianime/index.js: "exec(decodedText)" - Suspicious TLD Domain in dist/providers/2embed.cc/index.js: "https://uqloads.xyz" - XOR-Encoded String Arrays in dist/providers/movies_api/cryptojs/cryptojs.js: "var p2 = [0, 1, 2, 4, 8, 16, 32, 64, 128, 27, 54]" - Shell Command Execution in updater.py: "subprocess.run(" - Malicious Dependency Detected in package.json PAYLOAD FILES fuckers/browser-based-movie/megatube/megaJs.js (+ dist/providers/defaultProvider.js, dist/animeProviders/hianime/index.js) INDICATORS (IOCs) - ipv4: 124.0.0.0, 138.0.0.0, 103.150.12.5, 1.2.1.1, 1.0.1.1 (+3 more) - urls: https://iframetester.com/, https://streamsrcs.2embed.cc/, https://afdah.live/, https://moviesroot.club/, https://turbovid.eu/ (+23 more) - domains: iframetester.com, streamsrcs.2embed.cc, afdah.live, moviesroot.club, kerolaunochan.online (+7 more) - emails: 8.33.2+commercial_master.561.ads-dai@mono.ads, -freewheel@mono.ads, -googima@mono.ads, -vast@mono.hls.js, 1.4.10.jwplayer@mono.jwplayer (+1 more) - sha256Hashes: 53616c7465645f5fe1fbcbf81000253f2c96157dfd46ad1d6d18b510b6b5ea5f, d786e8072b3185b2890581dc582c8ad518c85fcdd21f5591f4804534aa62219e, 812dc850a908115d18f6487bbd3ca025004032caaccb861a85ecbdf069e6fcca - payloadFileHash: 3a9422d46c5821cb5bfcdfeef7b0d2b6ebb0e73c89491b1dbc891d342de13a7a

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownlucifer490-v2all (affected)

References

vendor

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›