VDB
GCVE-110-OSM-2026-5905
GCVE-110-OSM-2026-5905
Advisory PublishedCVSS 9.6/10
This package implements a credential-phishing redirect campaign. The entrypoint `beamglea.js` executes immediately on load and uses `window.location.href` to redirect victims to `https://brandconnect.co.zw/wp-login/d88cd.php#sales@fire-testing.com%26page=_o365_cok` — a compromised WordPress site hosting a fake Office 365 login page (the `_o365_cok` parameter is a well-known phishing kit indicator). The URL is built via string concatenation to partially evade static detection. The publisher `vaddo234334` published 8 packages with the same `redirect-*` naming pattern simultaneously, all from a brand-new account (first publish same day as account creation), consistent with a coordinated bulk-deployment phishing campaign. The large corpus of harvested corporate email addresses embedded in the package (29+ from real companies) suggests these are targets or prior victims being used as lures. The `redirect_generator.py` file using `subprocess.run` indicates automated generation of these redirect packages at scale.
ENTRY
beamglea.js (main: beamglea.js)
DESTINATION
- reconstructed: https://brandconnect.co.zw/wp-login/d88cd.php#sales@fire-testing.com%26page=_o365_cok# (primary, reconstructed) in beamglea.js
OBFUSCATION
- recovered 1 urls, 1 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Reconstructed Obfuscated URL in beamglea.js: "https://brandconnect.co.zw/wp-login/d88cd.php#sales@fire-testing.com%26page=_o36..."
- Shell Command Execution in redirect_generator.py: "subprocess.run("
PAYLOAD FILES
beamglea.js (+ redirect_generator.py)
INDICATORS (IOCs)
- urls: https://cfn.jackpotmastersdanske.com/TJImeEKD, https://brandconnect.co.zw/wp-login/d88cd.php#sales@fire-testing.com%26page=_o365_cok
- domains: grantsblinds.com, aegg.co.uk, p81.co.uk, cejn.com, hieu.vu (+24 more)
- emails: sraka@hust.hr, joe.guest@grantsblinds.com, richard@aegg.co.uk, chris@p81.co.uk, santosh.kanakanala@cejn.com (+24 more)
- payloadFileHash: 52cd58699f60b6f809f4bf32cab744da9965dfdb0605a753843760524a9c815f
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | redirect-r4ecau | all (affected) | — |
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.