VDB

GCVE-110-OSM-2026-6725

GCVE-110-OSM-2026-6725
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 26, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. ENTRY index.js (main: index.js) DESTINATION - custom-c2: html.spec.whatwg.org (primary, deobfuscated) in lib/websocket.js - custom-c2: gh.ac (deobfuscated) in lib/websocket.js - custom-c2: gh.ae (deobfuscated) in lib/websocket.js - custom-c2: gh.am (deobfuscated) in lib/websocket.js - custom-c2: gh.aC (deobfuscated) in lib/websocket.js - custom-c2: gh.aE (deobfuscated) in lib/websocket.js - custom-c2: gh.aM (deobfuscated) in lib/websocket.js - custom-c2: gh.gl (deobfuscated) in lib/websocket.js (+42 more) EXFIL - Data Encoding for Exfiltration in lib/websocket.js: "Buffer.from(opts.auth).toString('base64')" OBFUSCATION - IOCs Found in Deobfuscated Code in lib/websocket.js - Obfuscation: augmented proxied array function replacements in lib/websocket.js - Base64 Encoded Payload in lib/websocket.js: "'W5hcLhWqW4KsW6jZW47dSSknAh7cQCoKW63cGuhdNwVcKCkMW63cMsuPWQHke2/cHSobW6ZdTmoqiCo..." - Obfuscation: obfuscator.io in lib/websocket.js - Obfuscation patterns: stringArrayAccess, controlFlowFlattening in lib/websocket.js - recovered 50 domains, 50 _domainCandidates from decoded/deobfuscated content ADDITIONAL FINDINGS - Suspicious TLD Domain in lib/validation.js: "https://www.cl.cam" - Very New NPM Publisher Account PAYLOAD FILES lib/websocket.js INDICATORS (IOCs) - urls: http://websockets.github.io/ws/autobahn/clients/, http://websockets.github.io/ws/autobahn/servers/, https://www.cl.cam.ac.uk/%7Emgk25/ucs/utf8_check.c, http://2x.io - domains: www.host.com, websocket-echo.com, websockets.github.io, www.cl.cam.ac.uk - payloadFileHash: 30caa0b3ebb980d49f89ff3b9f545e4c0ff91b939e7ac91bfe9ee9b46d5b79b3

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@dervix/ws8.21.4 (affected)

References

advisory
vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›