VDB
GCVE-110-OSM-2026-6283
GCVE-110-OSM-2026-6283
Advisory PublishedCVSS 9.6/10
Harvests Windows credentials at install time via UAC bypass and SYSTEM-level privilege escalation, then exfiltrates to a Cloudflare-tunneled C2. color-utils-eee0@1.0.0 executes node run.js from preinstall and postinstall hooks. On Windows, it performs a UAC bypass via fodhelper.exe COM hijack (HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command), registers a scheduled task running as NT AUTHORITY\\SYSTEM, and uses the SYSTEM context to harvest LSA secrets, Windows Credential Manager entries, Azure CLI/MSAL caches, PowerShell command history, NuGet credential stores, ProgramData credential files, service account names, and scheduled task user contexts. Credentials are exfiltrated via GET (summary) and POST (full dump) to https://meetings-bios-pot-cameron.trycloudflare.com/beacon. On Linux, a GET beacon signals execution. Campaign marker: 'tss-daas-creds'. Sibling: data-utils-2122 (C2: together-quick-fascinating-certainly.trycloudflare.com).
run.js (10,080 bytes) executed unconditionally by preinstall and postinstall hooks. Plaintext JavaScript with PowerShell constructed from array literals and base64-encoded at runtime. On win32: writes fodhelper.exe UAC bypass to registry, registers SYSTEM scheduled task, harvests all credential sources, serializes to JSON summary and full detail, POSTs to C2, then cleans up registry key, temp files, and scheduled task. On other platforms: sends single GET execution-signal beacon.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | color-utils-eee0 | all versions (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.