VDB
GCVE-110-OSM-2026-6242
GCVE-110-OSM-2026-6242
Advisory PublishedCVSS 8.8/10
The code itself is completely benign and functional (real XOR/hex/base64/buffer utilities, nothing hidden). Its' role is the decryption primitive the other two packages depend on.
bytecraft presents as a generic buffer/byte manipulation utility library (XOR, base64, hex encoding, buffer rotation, padding, etc.). Every individual function is a standard, correctly-implemented utility — there is no obfuscated or malicious code anywhere in the package, and it would pass any static or dynamic analysis tool looking for malicious patterns in isolation.
Its role in the attack is supplying the generic primitive — specifically the xor() function — that the campaign's other two packages (endpointmap and procwire) use to decrypt a split, obfuscated C2 URL at runtime. endpointmap/lib/registry.js stores the encrypted halves; procwire imports both endpointmap and bytecraft, derives a decryption key from endpointmap's package name, and calls bytecraft.xor() to reconstruct the address before passing it to its dropper module.
This is the same technique seen in obfuscation-as-a-service patterns: by keeping the actual cryptographic primitive in a separate, dependency-free utility package, the campaign ensures that no single package contains both the encrypted secret and the decryption logic in one place, and that the utility package itself has no malicious code to detect.
Verification performed: this package's xor() function was independently executed against the real encrypted arrays from endpointmap/lib/registry.js, reproducing exactly what procwire does at runtime. The decryption succeeded and produced a coherent payload URL: https://files.catbox.moe/j4loim(.)chk
No dependencies. Used by endpointmap (^1.5.0 dependency), procwire
Published: 2026-06-16T14:44:00.265Z
This confirms bytecraft.xor() is the actual decryption primitive used to reconstruct the C2 address, not an incidental utility.
Key IOCs:
No malicious code in the package itself — flagged for its role as a supporting dependency, not standalone malicious behavior
The xor() function is the verified decryption primitive used to reconstruct the procwire C2 URL
Coordinated with: endpointmap (publisher yingyane, published 4 min later, depends on bytecraft) and procwire (publisher framenull, published ~9 min later, depends on both)
All three packages published within a 9-minute window on 2026-06-16
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | bytecraft | 1.5.0 (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.