VDB
GCVE-110-OSM-2026-6686
GCVE-110-OSM-2026-6686
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code, install-time execution.
ENTRY
scripts/loader.js (install-hook: node scripts/loader.js)
- Install Hook Executes Local JS File in package.json
DESTINATION
- custom-c2: https://api.braintreegateway.com/merchants/49pp2rp4phym7387/client_api/v*/payment_methods/paypal_accounts (primary, binary) in payload.exe
- custom-c2: https://api.stripe.com/v*/tokens (binary) in payload.exe
- custom-c2: http://751.lol (binary) in payload.exe
- custom-c2: https://751.lol (binary) in payload.exe
- custom-c2: discordapp.com (binary) in payload.exe
- custom-c2: api.braintreegateway.com (binary) in payload.exe
- custom-c2: api.stripe.com (binary) in payload.exe
- custom-c2: 751.lol (binary) in payload.exe
(+2 more)
EXFIL
- Dynamic C2 Endpoint Construction in payload.exe: "function J(A9,Ae){let AA=A9[L];AA===undefined&&(AA=N++,A9[L]=AA),q[AA]=Ae,R[AA]=..."
OBFUSCATION
- Base64 Encoded Payload in payload.exe: "'goESmK8CAhQIGkJyb3dzZXJXaW5kb3cIGmdldEFsbFdpbmRvd3MEAAgOUHJvbWlzZQgOcmVzb2x2ZQQ..."
- String Array Obfuscation in payload.exe: "AI[Ay-0x1]"
ADDITIONAL FINDINGS
- Global Require Alias in payload.exe: "module['exports']=require"
- Binary: Injection in payload.exe: "VirtualProtect"
- Indirect Function Constructor Access in payload.exe: "['constructor']"
- Shell Command Execution in scripts/loader.js: "require('child_process')"
- Brand New Package
- Rapid Version Publishing
(+4 more)
PAYLOAD FILES
payload.exe
INDICATORS (IOCs)
- binaryHashes: dc33a150345013895970ca8a0bb40e4652577dee5f55eaf10ce2be1c74121aa4
- payloadFileHash: e7744f848470d1362d1425e9259b8a306f0592180d4f619ce814f02f0c5e70fa
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | velocityfix | all (affected) | — |
Aliases
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.