VDB

GCVE-110-OSM-2026-6425

GCVE-110-OSM-2026-6425
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 21, 2026
Executes attacker-controlled JavaScript at install-time by fetching a remote payload from a jsonkeeper.com dead-drop and running it via tmpfile require, then destroys all evidence with anti-forensics cleanup. Part of a campaign cluster sharing the wpc- dropper infrastructure; functionally identical to webpack-cache-clean@0.1.4. Stage-2 payload capabilities are unknown — the C2 endpoint was not resolved at analysis time. Trigger: postinstall via loader.js. loader.js hex-decodes the C2 URL inline (Buffer.from hex → https://jsonkeeper.com/b/INN1F), fetches the payload via https.get, reads manifest.session from the JSON response, writes it to os.tmpdir()/wpc-<random>/cfg-<timestamp>.js, and require()s it for execution. After execution: fs.unlinkSync(tmpFile) + fs.rmdirSync(tmpDir) removes all traces (anti-forensics). Stage-2 capabilities unknown — C2 payload not resolved at analysis time.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownwebpack-session-cacheall versions (affected)

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›