VDB
GCVE-110-OSM-2026-6425
GCVE-110-OSM-2026-6425
Advisory PublishedCVSS 9.6/10
Executes attacker-controlled JavaScript at install-time by fetching a remote payload from a jsonkeeper.com dead-drop and running it via tmpfile require, then destroys all evidence with anti-forensics cleanup. Part of a campaign cluster sharing the wpc- dropper infrastructure; functionally identical to webpack-cache-clean@0.1.4. Stage-2 payload capabilities are unknown — the C2 endpoint was not resolved at analysis time.
Trigger: postinstall via loader.js. loader.js hex-decodes the C2 URL inline (Buffer.from hex → https://jsonkeeper.com/b/INN1F), fetches the payload via https.get, reads manifest.session from the JSON response, writes it to os.tmpdir()/wpc-<random>/cfg-<timestamp>.js, and require()s it for execution. After execution: fs.unlinkSync(tmpFile) + fs.rmdirSync(tmpDir) removes all traces (anti-forensics). Stage-2 capabilities unknown — C2 payload not resolved at analysis time.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | webpack-session-cache | all versions (affected) | — |
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.