VDB
GCVE-110-OSM-2026-6133
GCVE-110-OSM-2026-6133
Advisory PublishedCVSS 8.8/10
Executes a postinstall hook that XOR-decrypts a concealed stage-2 download URL split across two coordinated dependency packages (endpointmap, bytecraft), retrieves a Windows PE binary from files.catbox.moe via a LOLBin download chain (https.get → curl.exe → bitsadmin.exe fallbacks), strips the Mark-of-the-Web Zone.Identifier ADS to bypass Windows SmartScreen, and silently executes the PE. Part of a coordinated three-package campaign published under @deltajohnsons.com on 2026-06-16.
The postinstall hook reconstructs the download URL https://files.catbox.moe/j4loim.chk from XOR key fragments distributed across the endpointmap and bytecraft dependencies. It downloads the PE binary via Node.js https.get with curl.exe and bitsadmin.exe as LOLBin fallbacks, overwrites the Zone.Identifier ADS (ZoneId=0) to strip Mark-of-the-Web, and silently executes the binary. Stage-2 PE SHA256: 250e489e797bf67cd23b6817104a51a3f5ce322ddcce636c5b2a94e05e73bc55. Stage-2 capabilities are unknown.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | procwire | all versions (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.