VDB

GCVE-110-OSM-2026-6928

GCVE-110-OSM-2026-6928
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 29, 2026
The postinstall hook `.prepare.cjs` is a sophisticated credential-harvesting and environment-exfiltration payload. It decodes its C2 hostname at runtime using a reverse-and-subtract-7 charcode scheme: the decoded host is `open.larksuite.com` (a Lark/Feishu webhook endpoint), consistent with DPRK-linked Contagious Interview campaign TTPs that use Lark for exfiltration. The payload collects all process environment variables (explicitly filtering only `npm_lifecycle` prefixes), targeting `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `GITHUB_TOKEN`, and `NPM_TOKEN` by name via charcode-encoded strings, then POSTs the full dump as a Lark message. The code contains extensive multi-layered sandbox evasion: it checks for honeypot framework env vars (PYPI_POISON_HONEY_TOKEN, SANDYCLAW_*, OPENCLAW_*, PERMISO_*, CHAINRADAR_*), known analysis usernames (nonroot, sandbox, malware, scan), hostname patterns (detonat, cuckoo, virus, scan, chainradar), mock CA cert paths (/tmp/mock), TLS inspection indicators, and known test AWS credentials (AKIAIOSFODNN7EXAMPLE). The publisher account is brand new with four packages across three suspicious namespaces, no repository, and zero download history, fitting the supply chain poisoning attacker model. ENTRY .prepare.cjs (install-hook: node .prepare.cjs) - Install Hook Executes Local JS File in package.json EXFIL - Network Request in .prepare.cjs: "https.request(" - System Information Collection in .prepare.cjs: "os.userInfo()" ADDITIONAL FINDINGS - Brand New Package PAYLOAD FILES .prepare.cjs INDICATORS (IOCs) - urls: http://192.168.100.4/app/lzy-react-native/lzy-react-native-polyfill - payloadFileHash: d17157828b17732d1577bf74528962b924d57f28f238f5df8fe3c31411ae84a4

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@longzy/react-native-polyfillall (affected)

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›