VDB
GCVE-110-OSM-2026-6487
GCVE-110-OSM-2026-6487
Advisory PublishedCVSS 8.8/10
kisamajs is a Node.js Remote Administration Tool (RAT) / C2 implant masquerading as a system-monitoring "probe" or terminal-management utility. It is the JavaScript port of a Chinese C2 framework named "kisama" (confirmed by the Noise protocol prologue "kisama_terminal_v1" and the README's explicit "Node.js implementation of the Python version" statement). Package keywords (探针/probe, 玩具/toy, 游戏机/game console, 终端管理/terminal management) and author liming reinforce attribution to a Chinese-language threat actor or tooling project.
Operating model: Inbound listener, not outbound beaconer. The package binds an Express HTTP/WebSocket server to 0.0.0.0:8000 (configurable via HOST/PORT / SERVER_PORT env vars) and waits for the operator to connect into the victim host. There is no hard-coded C2 URL because the agent IS the C2 endpoint; the operator authenticates with an out-of-band ECDSA private key.
Capabilities exposed to the authenticated operator:
- Arbitrary command execution via child_process.exec (POST /api/exec)
- Arbitrary file read / write / delete / move / copy / chmod / chunked upload up to 100 MB (/api/file/*)
- Cron-based persistence — operator-defined shell commands on operator-defined schedules via node-cron (POST /api/task/cron)
- One-shot batch command execution (POST /api/task/onetime)
- Interactive PTY shell over WebSocket, tunneled through Noise_XX_25519_ChaChaPoly_BLAKE2s end-to-end encryption (WS /api/ws/*)
- Host fingerprinting (OS, kernel, CPU, RAM, disk, virtualization detection for Docker/Podman/K8s/LXC/QEMU, public IPv4/IPv6)
ENTRY
agent.js (bin: agent.js)
Single-file payload: agent.js (2,375 lines, 76,694 bytes), declared as main in package.json and executable via bin.start. The package contains only agent.js, package.json, and README.md (per the files allowlist).
Payload acquisition model: The implant does NOT autonomously download additional payloads from a hard-coded URL. Secondary payloads are delivered operator-side through the authenticated control channel:
- POST /api/file accepts base64-encoded file content (optionally chunked via chunk_id + total_chunks fields) and writes to disk under FILE_ROOT (defaults to
user home directory). Max 100 MB by default (MAX_UPLOAD_SIZE).
- POST /api/exec then executes the staged binary via child_process.exec with a 30-second default timeout (EXEC_TIMEOUT).
- POST /api/task/cron installs persistence by registering node-cron jobs that re-execute attacker-chosen commands on attacker-chosen schedules.
INDICATORS (IOCs)
- payloadFileHash: a5bb19f7f52723eae39642b256f3f8f5f8c2f77c2e7b22ce57c01e120565f97b
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | kisamajs | all (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.