VDB
GCVE-110-OSM-2026-5906
GCVE-110-OSM-2026-5906
Advisory PublishedCVSS 9.6/10
The entrypoint `dist/bootstrap.js` is an HTA-context PowerShell dropper/stager. It uses `ActiveXObject` to create `%LOCALAPPDATA%\Landpage`, fetches a remote PowerShell script authenticated with session tokens, payload digests, and device fingerprints, XOR-decrypts the payload using a hardcoded key (`950bc06e05fab613ff99c71ce4fdd4ef`), writes it to disk, and executes it silently via `powershell.exe -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden`. The hidden-window execution and multi-path fallback chain (direct fetch → XOR-decrypted stub → CDN-hosted encrypted blob → base64 obfuscated fallback) are characteristic of a staged malware loader, not a legitimate CDN bootstrap. The rapid-iteration publishing pattern (12 versions in under 2 days from a brand-new single-package account) is consistent with adversarial tuning of a delivery mechanism, matching the Contagious Interview/social-engineering dropper attacker model where victims are tricked into running an HTA file that silently installs malicious payload.
ENTRY
dist/bootstrap.js (main: dist/bootstrap.js)
INDICATORS (IOCs)
- urls: http://192.168.1.143:3001
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ldpbootstrap-jquery | all (affected) | — |
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.