VDB

GCVE-110-OSM-2026-6686

GCVE-110-OSM-2026-6686
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 26, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code, install-time execution. ENTRY scripts/loader.js (install-hook: node scripts/loader.js) - Install Hook Executes Local JS File in package.json DESTINATION - custom-c2: https://api.braintreegateway.com/merchants/49pp2rp4phym7387/client_api/v*/payment_methods/paypal_accounts (primary, binary) in payload.exe - custom-c2: https://api.stripe.com/v*/tokens (binary) in payload.exe - custom-c2: http://751.lol (binary) in payload.exe - custom-c2: https://751.lol (binary) in payload.exe - custom-c2: discordapp.com (binary) in payload.exe - custom-c2: api.braintreegateway.com (binary) in payload.exe - custom-c2: api.stripe.com (binary) in payload.exe - custom-c2: 751.lol (binary) in payload.exe (+2 more) EXFIL - Dynamic C2 Endpoint Construction in payload.exe: "function J(A9,Ae){let AA=A9[L];AA===undefined&&(AA=N++,A9[L]=AA),q[AA]=Ae,R[AA]=..." OBFUSCATION - Base64 Encoded Payload in payload.exe: "'goESmK8CAhQIGkJyb3dzZXJXaW5kb3cIGmdldEFsbFdpbmRvd3MEAAgOUHJvbWlzZQgOcmVzb2x2ZQQ..." - String Array Obfuscation in payload.exe: "AI[Ay-0x1]" ADDITIONAL FINDINGS - Global Require Alias in payload.exe: "module['exports']=require" - Binary: Injection in payload.exe: "VirtualProtect" - Indirect Function Constructor Access in payload.exe: "['constructor']" - Shell Command Execution in scripts/loader.js: "require('child_process')" - Brand New Package - Rapid Version Publishing (+4 more) PAYLOAD FILES payload.exe INDICATORS (IOCs) - binaryHashes: dc33a150345013895970ca8a0bb40e4652577dee5f55eaf10ce2be1c74121aa4 - payloadFileHash: e7744f848470d1362d1425e9259b8a306f0592180d4f619ce814f02f0c5e70fa

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownvelocityfixall (affected)

References

advisory
vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›