VDB

GCVE-110-OSM-2026-6242

GCVE-110-OSM-2026-6242
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 18, 2026
The code itself is completely benign and functional (real XOR/hex/base64/buffer utilities, nothing hidden). Its' role is the decryption primitive the other two packages depend on. bytecraft presents as a generic buffer/byte manipulation utility library (XOR, base64, hex encoding, buffer rotation, padding, etc.). Every individual function is a standard, correctly-implemented utility — there is no obfuscated or malicious code anywhere in the package, and it would pass any static or dynamic analysis tool looking for malicious patterns in isolation. Its role in the attack is supplying the generic primitive — specifically the xor() function — that the campaign's other two packages (endpointmap and procwire) use to decrypt a split, obfuscated C2 URL at runtime. endpointmap/lib/registry.js stores the encrypted halves; procwire imports both endpointmap and bytecraft, derives a decryption key from endpointmap's package name, and calls bytecraft.xor() to reconstruct the address before passing it to its dropper module. This is the same technique seen in obfuscation-as-a-service patterns: by keeping the actual cryptographic primitive in a separate, dependency-free utility package, the campaign ensures that no single package contains both the encrypted secret and the decryption logic in one place, and that the utility package itself has no malicious code to detect. Verification performed: this package's xor() function was independently executed against the real encrypted arrays from endpointmap/lib/registry.js, reproducing exactly what procwire does at runtime. The decryption succeeded and produced a coherent payload URL: https://files.catbox.moe/j4loim(.)chk No dependencies. Used by endpointmap (^1.5.0 dependency), procwire Published: 2026-06-16T14:44:00.265Z This confirms bytecraft.xor() is the actual decryption primitive used to reconstruct the C2 address, not an incidental utility. Key IOCs: No malicious code in the package itself — flagged for its role as a supporting dependency, not standalone malicious behavior The xor() function is the verified decryption primitive used to reconstruct the procwire C2 URL Coordinated with: endpointmap (publisher yingyane, published 4 min later, depends on bytecraft) and procwire (publisher framenull, published ~9 min later, depends on both) All three packages published within a 9-minute window on 2026-06-16

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownbytecraft1.5.0 (affected)

References

vendor

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›