VDB

GCVE-110-OSM-2026-6283

GCVE-110-OSM-2026-6283
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 19, 2026
Harvests Windows credentials at install time via UAC bypass and SYSTEM-level privilege escalation, then exfiltrates to a Cloudflare-tunneled C2. color-utils-eee0@1.0.0 executes node run.js from preinstall and postinstall hooks. On Windows, it performs a UAC bypass via fodhelper.exe COM hijack (HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command), registers a scheduled task running as NT AUTHORITY\\SYSTEM, and uses the SYSTEM context to harvest LSA secrets, Windows Credential Manager entries, Azure CLI/MSAL caches, PowerShell command history, NuGet credential stores, ProgramData credential files, service account names, and scheduled task user contexts. Credentials are exfiltrated via GET (summary) and POST (full dump) to https://meetings-bios-pot-cameron.trycloudflare.com/beacon. On Linux, a GET beacon signals execution. Campaign marker: 'tss-daas-creds'. Sibling: data-utils-2122 (C2: together-quick-fascinating-certainly.trycloudflare.com). run.js (10,080 bytes) executed unconditionally by preinstall and postinstall hooks. Plaintext JavaScript with PowerShell constructed from array literals and base64-encoded at runtime. On win32: writes fodhelper.exe UAC bypass to registry, registers SYSTEM scheduled task, harvests all credential sources, serializes to JSON summary and full detail, POSTs to C2, then cleans up registry key, temp files, and scheduled task. On other platforms: sends single GET execution-signal beacon.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncolor-utils-eee0all versions (affected)

References

vendor

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›