VDB
GCVE-110-OSM-2026-6928
GCVE-110-OSM-2026-6928
Advisory PublishedCVSS 9.6/10
The postinstall hook `.prepare.cjs` is a sophisticated credential-harvesting and environment-exfiltration payload. It decodes its C2 hostname at runtime using a reverse-and-subtract-7 charcode scheme: the decoded host is `open.larksuite.com` (a Lark/Feishu webhook endpoint), consistent with DPRK-linked Contagious Interview campaign TTPs that use Lark for exfiltration. The payload collects all process environment variables (explicitly filtering only `npm_lifecycle` prefixes), targeting `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `GITHUB_TOKEN`, and `NPM_TOKEN` by name via charcode-encoded strings, then POSTs the full dump as a Lark message. The code contains extensive multi-layered sandbox evasion: it checks for honeypot framework env vars (PYPI_POISON_HONEY_TOKEN, SANDYCLAW_*, OPENCLAW_*, PERMISO_*, CHAINRADAR_*), known analysis usernames (nonroot, sandbox, malware, scan), hostname patterns (detonat, cuckoo, virus, scan, chainradar), mock CA cert paths (/tmp/mock), TLS inspection indicators, and known test AWS credentials (AKIAIOSFODNN7EXAMPLE). The publisher account is brand new with four packages across three suspicious namespaces, no repository, and zero download history, fitting the supply chain poisoning attacker model.
ENTRY
.prepare.cjs (install-hook: node .prepare.cjs)
- Install Hook Executes Local JS File in package.json
EXFIL
- Network Request in .prepare.cjs: "https.request("
- System Information Collection in .prepare.cjs: "os.userInfo()"
ADDITIONAL FINDINGS
- Brand New Package
PAYLOAD FILES
.prepare.cjs
INDICATORS (IOCs)
- urls: http://192.168.100.4/app/lzy-react-native/lzy-react-native-polyfill
- payloadFileHash: d17157828b17732d1577bf74528962b924d57f28f238f5df8fe3c31411ae84a4
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @longzy/react-native-polyfill | all (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.