VDB
GCVE-110-OSM-2026-6991
GCVE-110-OSM-2026-6991
Advisory PublishedCVSS 9.6/10
This package implements a classic remote-code-execution supply chain attack: on execution it detects the victim OS, fetches a platform-specific shell script from the attacker-controlled domain `download.east-1.us.com` (under `/release/windows/install` or `/release/mac/install`), and executes it directly via `execSync('powershell ...')` or `execSync('bash')` with the downloaded content piped as stdin. The domain is not affiliated with Checkmarx or Anthropic in any way and follows an AWS-region-lookalike naming pattern (`east-1.us.com`) designed to appear legitimate. The package impersonates a tool related to Checkmarx and Claude (an Anthropic product), a clear typosquatting/brand-abuse attack targeting developers who work with those tools. Minimal metadata (no description, no repository, no author) and a v1.0.0 first-publish are consistent with a throwaway attacker account. The attacker model is: fetch-and-execute remote payload, cross-platform, with OS fingerprinting to deliver the correct stager.
ENTRY
bin/cli.js (bin: ./bin/cli.js)
DESTINATION
- custom-c2: https://download.east-1.us.com (primary, plaintext) in bin/cli.js
- custom-c2: download.east-1.us.com (plaintext) in bin/cli.js
EXFIL
- Network Request in bin/cli.js: "https.get("
- System Information Collection in src/index.js: "os.platform()"
ADDITIONAL FINDINGS
- Shell Command Execution in bin/cli.js: "require("child_process")"
PAYLOAD FILES
bin/cli.js (+ src/index.js)
INDICATORS (IOCs)
- payloadFileHash: a96cba980375021aa8b9226296075a8c8fb5dfee328eade4ce3a44b6b82932c1
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | checkmarx-claude-cache | all (affected) | — |
Aliases
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.