VDB

GCVE-110-OSM-2026-5906

GCVE-110-OSM-2026-5906
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
The entrypoint `dist/bootstrap.js` is an HTA-context PowerShell dropper/stager. It uses `ActiveXObject` to create `%LOCALAPPDATA%\Landpage`, fetches a remote PowerShell script authenticated with session tokens, payload digests, and device fingerprints, XOR-decrypts the payload using a hardcoded key (`950bc06e05fab613ff99c71ce4fdd4ef`), writes it to disk, and executes it silently via `powershell.exe -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden`. The hidden-window execution and multi-path fallback chain (direct fetch → XOR-decrypted stub → CDN-hosted encrypted blob → base64 obfuscated fallback) are characteristic of a staged malware loader, not a legitimate CDN bootstrap. The rapid-iteration publishing pattern (12 versions in under 2 days from a brand-new single-package account) is consistent with adversarial tuning of a delivery mechanism, matching the Contagious Interview/social-engineering dropper attacker model where victims are tricked into running an HTA file that silently installs malicious payload. ENTRY dist/bootstrap.js (main: dist/bootstrap.js) INDICATORS (IOCs) - urls: http://192.168.1.143:3001

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownldpbootstrap-jqueryall (affected)

References

vendor

Browse GCVE Records

73,196 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›