VDB
GCVE-110-OSM-2026-6944
GCVE-110-OSM-2026-6944
Advisory PublishedCVSS 8.8/10
Suspected dependency confusion attack. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution.
ENTRY
.prepare.cjs (install-hook: node .prepare.cjs)
- Install Hook Executes Local JS File in lib/package.json
DESTINATION
- urls: https://wgh.zzdsj.zhengzhou.gov.cn/iserver/services/map-ZhengZhouWangGeYiTiHua/rest/maps/threeLevelWangge/queryResults.json?returnContent=true` (c2, plaintext)
- domains: wgh.zzdsj.zhengzhou.gov.cn (c2, plaintext)
EXFIL
- Data Encoding for Exfiltration in lib/FileReview/index.tsx: "encodeURIComponent(Base64.encode(fileUrl"
- Network Request in .prepare.cjs: "https.request("
- System Information Collection in .prepare.cjs: "os.userInfo()"
- Suspicious Domain in lib/ApproveModal/index.tsx: "http://117.160.134.158"
OBFUSCATION
- Dynamic Base64 Decoding in lib/DgzQRCode/util.js: "atob(arr["
- Dynamic Base64 Decoding in lib/utils/index.ts: "atob(arr["
- Strings Extracted from Deobfuscated Code in lib/DgzQRCode/util.js
ADDITIONAL FINDINGS
- Brand New Package
- Publisher Has Other Malicious Packages
PAYLOAD FILES
.prepare.cjs
INDICATORS (IOCs)
- ipv4: 117.160.134.158
- urls: http://your-company-npm-registry.com, http://192.168.240.13:4873/, http://117.160.134.158:18090/story-view-10447.html, http://192.168.240.13:4873/@types/prop-types/-/prop-types-15.7.15.tgz, http://192.168.240.13:4873/@types/react/-/react-18.3.24.tgz (+6 more)
- domains: cdn.digitalcnzz.com, historyBtn.current.click, ProForm.Group, currentConfigData.current.id
- payloadFileHash: e74ff53507331adba43e77e20294a6a200dc28f99d817355cafc93e590434bf3
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @digitalcnzz/commonmodule | all (affected) | — |
Browse GCVE Records
73,044 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.