VDB
GCVE-110-OSM-2026-6181
GCVE-110-OSM-2026-6181
Advisory PublishedCVSS 8.8/10
Malicious package detected. Behaviors: data exfiltration, code execution.
ENTRY
bin/scan-only.js (bin: ./bin/scan-only.js)
PERSISTENCE
- Cron Job Persistence in bin/scan-only.js: "crontab -"
DESTINATION
- custom-c2: https://sentry.citadel-casino.com/collect (primary, plaintext) in bin/scan-only.js
- custom-c2: https://sffcar.fr (plaintext) in bin/scan-only.js
- custom-c2: https://lgaauto.fr (plaintext) in bin/scan-only.js
- custom-c2: https://ngmauto.fr (plaintext) in bin/scan-only.js
- custom-c2: https://sentry.citadel-casino.com/decoy (plaintext) in bin/scan-only.js
- custom-c2: sffcar.fr (plaintext) in bin/scan-only.js
- custom-c2: lgaauto.fr (plaintext) in bin/scan-only.js
- custom-c2: ngmauto.fr (plaintext) in bin/scan-only.js
EXFIL
- Git Configuration Access in bin/scan-only.js: ".gitconfig"
- Network Request in bin/scan-only.js: "fetch('https:"
- System Information Collection in bin/scan-only.js: "os.userInfo()"
ADDITIONAL FINDINGS
- Shell Command Execution in bin/scan-only.js: "execSync("
- Silent Process Execution in bin/scan-only.js: "windowsHide: true"
- Shell Command Variable Setup in bin/scan-only.js: "'cmd.exe' : '/bin/sh'"
- Brand New Package
- Very New NPM Publisher Account
- Rapid Version Publishing
PAYLOAD FILES
bin/scan-only.js
INDICATORS (IOCs)
- sha256Hashes: 6a403d68dbd796e6812e53f9e58a65c3589fe11b18e2dc0f21812c0fcb1b1a3f
- payloadFileHash: 8b84db328061f2932ab18f3859648f4cb1c9eb65778f5b1f4d850e1ddea15817
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | scan-only | all (affected) | — |
Aliases
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.