VDB
GCVE-110-OSM-2026-5925
GCVE-110-OSM-2026-5925
Advisory PublishedCVSS 9.6/10
The package implements a browser redirect campaign: `beamglea.js` constructs a URL via string concatenation (`https://cfn.kafiky.com/NPiGdCBx#akash.d@lakeb2b.com`) and immediately invokes `window.location.href` to redirect the victim's browser to an attacker-controlled domain. The email address embedded as a URL fragment (`akash.d@lakeb2b.com`) is a classic tracking/attribution token used in phishing and click-fraud operations to identify which victim/install path was hit. The publisher `focalxcds12340` created their account approximately 3 days before publish and immediately flooded the registry with 23 identically-structured `redirect-*` packages — a bulk-publish pattern consistent with SEO poisoning, dependency confusion, or phishing redirect distribution. The domain `cfn.kafiky.com` has no established reputation and the URL path is a short opaque token, consistent with an attacker-controlled redirect/tracking endpoint. No legitimate npm package has a reason to redirect a browser to an external URL with an embedded email on load.
ENTRY
beamglea.js (main: beamglea.js)
DESTINATION
- reconstructed: https://cfn.kafiky.com/NPiGdCBx#akash.d@lakeb2b.com (primary, reconstructed) in beamglea.js
OBFUSCATION
- recovered 1 urls, 1 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Reconstructed Obfuscated URL in beamglea.js: "https://cfn.kafiky.com/NPiGdCBx#akash.d@lakeb2b.com"
PAYLOAD FILES
beamglea.js
INDICATORS (IOCs)
- urls: https://cfn.kafiky.com/NPiGdCBx
- domains: lakeb2b.com, cfn.kafiky.com
- emails: akash.d@lakeb2b.com
- payloadFileHash: b3125734e082053b7b775c93aa93b92833752ffc254f750961f2b00bd5e6f304
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | redirect-r0x3ju | all (affected) | — |
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.