VDB
GCVE-110-OSM-2026-6280
GCVE-110-OSM-2026-6280
Advisory PublishedCVSS 9.6/10
Installs a persistent SSH backdoor and exfiltrates sensitive files at require-time: fetches an attacker-controlled SSH public key from datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys, enables UFW, and opens port 22/tcp on Linux — granting persistent SSH access that survives package removal. Also fetches server-controlled scan and block patterns enabling dynamic retargeting of file exfiltration without publishing new package versions. Files matching server-supplied patterns (Solana keypairs, config files, .env files) are exfiltrated via multipart POST to /api/v1. All C2 strings obfuscated with string-from-charcode encoding.
Require-time payload (index.js) performs three operations via exported from_str orchestrator: (1) SSH backdoor — fetches attacker public key from /api/ssh-key, appends to ~/.ssh/authorized_keys via fs.appendFileSync (creating .ssh dir at 0o700), runs execSync('sudo ufw enable') and execSync('sudo ufw allow 22/tcp'); (2) server-controlled file scan — fetches include/exclude glob patterns from /api/scan-patterns and /api/block-patterns, scans Unix homedir or Windows non-C: drives for matching files; (3) CWD recursive scan for hardcoded targets (id.json/Solana keypair, config.toml, config.json, .env). All matched files exfiltrated via multipart POST batched at 4MB. Proof class P0, deobfuscation complete.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | node-slot | all versions (affected) | — |
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.