VDB

GCVE-110-OSM-2026-5905

GCVE-110-OSM-2026-5905
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package implements a credential-phishing redirect campaign. The entrypoint `beamglea.js` executes immediately on load and uses `window.location.href` to redirect victims to `https://brandconnect.co.zw/wp-login/d88cd.php#sales@fire-testing.com%26page=_o365_cok` — a compromised WordPress site hosting a fake Office 365 login page (the `_o365_cok` parameter is a well-known phishing kit indicator). The URL is built via string concatenation to partially evade static detection. The publisher `vaddo234334` published 8 packages with the same `redirect-*` naming pattern simultaneously, all from a brand-new account (first publish same day as account creation), consistent with a coordinated bulk-deployment phishing campaign. The large corpus of harvested corporate email addresses embedded in the package (29+ from real companies) suggests these are targets or prior victims being used as lures. The `redirect_generator.py` file using `subprocess.run` indicates automated generation of these redirect packages at scale. ENTRY beamglea.js (main: beamglea.js) DESTINATION - reconstructed: https://brandconnect.co.zw/wp-login/d88cd.php#sales@fire-testing.com%26page=_o365_cok# (primary, reconstructed) in beamglea.js OBFUSCATION - recovered 1 urls, 1 domains from decoded/deobfuscated content ADDITIONAL FINDINGS - Reconstructed Obfuscated URL in beamglea.js: "https://brandconnect.co.zw/wp-login/d88cd.php#sales@fire-testing.com%26page=_o36..." - Shell Command Execution in redirect_generator.py: "subprocess.run(" PAYLOAD FILES beamglea.js (+ redirect_generator.py) INDICATORS (IOCs) - urls: https://cfn.jackpotmastersdanske.com/TJImeEKD, https://brandconnect.co.zw/wp-login/d88cd.php#sales@fire-testing.com%26page=_o365_cok - domains: grantsblinds.com, aegg.co.uk, p81.co.uk, cejn.com, hieu.vu (+24 more) - emails: sraka@hust.hr, joe.guest@grantsblinds.com, richard@aegg.co.uk, chris@p81.co.uk, santosh.kanakanala@cejn.com (+24 more) - payloadFileHash: 52cd58699f60b6f809f4bf32cab744da9965dfdb0605a753843760524a9c815f

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownredirect-r4ecauall (affected)

References

vendor

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›