VDB

GCVE-110-OSM-2026-6133

GCVE-110-OSM-2026-6133
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 17, 2026
Executes a postinstall hook that XOR-decrypts a concealed stage-2 download URL split across two coordinated dependency packages (endpointmap, bytecraft), retrieves a Windows PE binary from files.catbox.moe via a LOLBin download chain (https.get → curl.exe → bitsadmin.exe fallbacks), strips the Mark-of-the-Web Zone.Identifier ADS to bypass Windows SmartScreen, and silently executes the PE. Part of a coordinated three-package campaign published under @deltajohnsons.com on 2026-06-16. The postinstall hook reconstructs the download URL https://files.catbox.moe/j4loim.chk from XOR key fragments distributed across the endpointmap and bytecraft dependencies. It downloads the PE binary via Node.js https.get with curl.exe and bitsadmin.exe as LOLBin fallbacks, overwrites the Zone.Identifier ADS (ZoneId=0) to strip Mark-of-the-Web, and silently executes the binary. Stage-2 PE SHA256: 250e489e797bf67cd23b6817104a51a3f5ce322ddcce636c5b2a94e05e73bc55. Stage-2 capabilities are unknown.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownprocwireall versions (affected)

References

vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›