VDB

GCVE-110-OSM-2026-6487

GCVE-110-OSM-2026-6487
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 21, 2026
kisamajs is a Node.js Remote Administration Tool (RAT) / C2 implant masquerading as a system-monitoring "probe" or terminal-management utility. It is the JavaScript port of a Chinese C2 framework named "kisama" (confirmed by the Noise protocol prologue "kisama_terminal_v1" and the README's explicit "Node.js implementation of the Python version" statement). Package keywords (探针/probe, 玩具/toy, 游戏机/game console, 终端管理/terminal management) and author liming reinforce attribution to a Chinese-language threat actor or tooling project. Operating model: Inbound listener, not outbound beaconer. The package binds an Express HTTP/WebSocket server to 0.0.0.0:8000 (configurable via HOST/PORT / SERVER_PORT env vars) and waits for the operator to connect into the victim host. There is no hard-coded C2 URL because the agent IS the C2 endpoint; the operator authenticates with an out-of-band ECDSA private key. Capabilities exposed to the authenticated operator: - Arbitrary command execution via child_process.exec (POST /api/exec) - Arbitrary file read / write / delete / move / copy / chmod / chunked upload up to 100 MB (/api/file/*) - Cron-based persistence — operator-defined shell commands on operator-defined schedules via node-cron (POST /api/task/cron) - One-shot batch command execution (POST /api/task/onetime) - Interactive PTY shell over WebSocket, tunneled through Noise_XX_25519_ChaChaPoly_BLAKE2s end-to-end encryption (WS /api/ws/*) - Host fingerprinting (OS, kernel, CPU, RAM, disk, virtualization detection for Docker/Podman/K8s/LXC/QEMU, public IPv4/IPv6) ENTRY agent.js (bin: agent.js) Single-file payload: agent.js (2,375 lines, 76,694 bytes), declared as main in package.json and executable via bin.start. The package contains only agent.js, package.json, and README.md (per the files allowlist). Payload acquisition model: The implant does NOT autonomously download additional payloads from a hard-coded URL. Secondary payloads are delivered operator-side through the authenticated control channel: - POST /api/file accepts base64-encoded file content (optionally chunked via chunk_id + total_chunks fields) and writes to disk under FILE_ROOT (defaults to user home directory). Max 100 MB by default (MAX_UPLOAD_SIZE). - POST /api/exec then executes the staged binary via child_process.exec with a 30-second default timeout (EXEC_TIMEOUT). - POST /api/task/cron installs persistence by registering node-cron jobs that re-execute attacker-chosen commands on attacker-chosen schedules. INDICATORS (IOCs) - payloadFileHash: a5bb19f7f52723eae39642b256f3f8f5f8c2f77c2e7b22ce57c01e120565f97b

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownkisamajsall (affected)

References

vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›