VDB
GCVE-110-OSM-2026-6002
GCVE-110-OSM-2026-6002
Advisory PublishedCVSS 8.8/10
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code, install-time execution.
ENTRY
setup.cjs (install-hook: node setup.cjs --no-warnings)
- Install Hook Executes Local JS File in package.json
DESTINATION
- custom-c2: 23.254.164.123 (primary, plaintext) in setup.cjs
EXFIL
- System Information Exfiltration in setup.cjs: "__dirname;e['writeFileSync'](c[_0x5f54e0(0xcd)](i[_0x5f54e0(0xb4)](),'.pkg_histo..."
OBFUSCATION
- Obfuscation: augmented proxied array function replacements in setup.cjs
- Unicode Escape Obfuscation in esm/locale/fa.js: "\u06CC\u06A9\u200C\u0634\u0646\u0628\u0647"
- Unicode Escape Obfuscation in esm/locale/sr-cyrl.js: "\u0433\u043E\u0434\u0438\u043D\u0430"
- Deobfuscation Failed in setup.cjs
- Obfuscation patterns: hexVariables in setup.cjs
ADDITIONAL FINDINGS
- Dynamic Code Execution in esm/plugin/customParseFormat/index.js: "exec(part)"
- Publisher Has Other Malicious Packages
PAYLOAD FILES
setup.cjs (+ esm/plugin/customParseFormat/index.js, plugin/customParseFormat.js)
INDICATORS (IOCs)
- urls: https://day.js.org/, https://bundlephobia.com/package/dayjs, https://saucelabs.com/u/dayjs, https://day.js.org/docs/en/installation/installation, https://day.js.org/docs/en/parse/parse (+40 more)
- domains: day.js.org, bundlephobia.com, saucelabs.com, www.netrouting.com, netrouting.com (+6 more)
- payloadFileHash: 944dc7fd9de2f2efcff6458501084324769f736053129c71db3bf8294478d5f5
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | caspian-day-js | all (affected) | — |
Aliases
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.