VDB
GCVE-110-OSM-2026-7102
GCVE-110-OSM-2026-7102
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code.
ENTRY
dist/index.js (bin: ./dist/index.js)
DESTINATION
- reconstructed: http://localhost:4111/api/system/api-schema (primary, reconstructed) in dist/index.js
- custom-c2: css.global (deobfuscated) in dist/studio/assets/estree-CRgMSIiv.js
- custom-c2: https://mastra.ai/api/templates.json (plaintext) in dist/chunk-4EG3WFWR.js
- custom-c2: https://platform.mastra.ai (plaintext) in dist/chunk-4EG3WFWR.js
- custom-c2: https://projects.mastra.ai (plaintext) in dist/chunk-4EG3WFWR.js
- custom-c2: https://mastra.ai/docs/studio/overview (plaintext) in dist/chunk-4EG3WFWR.js
- custom-c2: https://mastra.ai/docs/ (plaintext) in dist/chunk-4EG3WFWR.js
- custom-c2: https://mastra.ai/docs/agents/overview (plaintext) in dist/chunk-4EG3WFWR.js
(+22 more)
EXFIL
- Environment Variable Exfiltration in dist/chunk-4EG3WFWR.js: "process.env.MASTRA_TEMPLATES_API_URL || "https://mastra.ai/api/templates.json"; ..."
- Environment Variable Exfiltration in dist/chunk-NGAJT6UU.js: "process.env.CI; } async function resolveCurrentOrg(token, opts = {}) { const org..."
- Environment Variable Exfiltration in dist/index.js: "process.env.MASTRA_ORG_ID; if (envOrgId) { return { orgId: envOrgId, orgName: en..."
- Corporate Environment Targeting in dist/index.js: "tMode: false, // Set to true for exact single tool match"
- Corporate Environment Targeting in dist/studio/assets/engine-compile-BkERmzkH.js: "tModX()){const o=t.indexOf(` `,s);return{lastIndex:o===-1?t.length:o}}if(/^\s$/...."
- Data Encoding for Exfiltration in dist/chunk-NGAJT6UU.js: "encodeURIComponent(inputData.city)}&count=1"
- HTTP Data Exfiltration in dist/index.js: "process.cwd()); const latestDeploy = getLatestProjectDeploy( (await fetch"
- Data Encoding for Exfiltration in dist/index.js: "encodeURIComponent(value"
(+4 more)
OBFUSCATION
- IOCs Found in Deobfuscated Code in dist/studio/assets/estree-CRgMSIiv.js
- Unicode Escape Obfuscation in dist/chunk-NGAJT6UU.js: "\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u..."
- String Array Obfuscation in dist/studio/assets/babel-CmeIX3PZ.js: "["break","case","catch","continue","debugger","default","do","else","finally","f..."
- String Array Obfuscation in dist/studio/assets/core-Cp2Ep0UF.js: "["AElig","AMP","Aacute","Acirc","Agrave","Aring","Atilde","Auml","COPY","Ccedil"..."
- Unicode Escape Obfuscation in dist/studio/assets/estree-CRgMSIiv.js: "\u203C\u2049\u2122\u2139\u2194"
- String Array Obfuscation in dist/studio/assets/markdown-UIAJJxZW.js: "["css","html","ini","java","lua","make","perl","r","ruby","php","sql","vb","xml"..."
- String Array Obfuscation in dist/studio/assets/shell-CjFT_Tl9.js: "["ab","awk","bash","beep","cat","cc","cd","chown","chmod","chroot","clear","cp",..."
- String Array Obfuscation in dist/studio/assets/standalone-BioU5qLH.js: "["break","case","catch","continue","debugger","default","do","else","finally","f..."
(+6 more)
ADDITIONAL FINDINGS
- Download Execute Delete Pattern in dist/chunk-4EG3WFWR.js: "exec(gitCommand, { cwd: process.cwd() }); const gitDir = path.join(targetPath, "..."
- Reconstructed Obfuscated URL in dist/index.js: "http://localhost:4111/api/system/api-schema"
- Shell Command Variable Setup in dist/chunk-EXG3XKBK.js: "win32") { execFileSync("cmd", ["/c", "start", "", url]); } else if (isWSL()) { e..."
- Silent Process Execution in dist/chunk-NGAJT6UU.js: "stdio: "ignore""
- Platform Detection with Data Collection in dist/chunk-NGAJT6UU.js: "JSON.stringify({ distinctId, sessionId })); } catch { } } initializePostHog(apiK..."
- Shell Command Execution in dist/index.js: "execSync("
(+3 more)
PAYLOAD FILES
dist/index.js (+ dist/chunk-NGAJT6UU.js, dist/studio/assets/estree-CRgMSIiv.js)
INDICATORS (IOCs)
- ipv6: e::, B:B:B:B:B:B:B:B, 8::, DDFF::, 2:: (+1 more)
- urls: http://0.0.0.0:3000, https://mastra.ai/reference/cli/mastra, https://mastra.ai\, https://observability.mastra.ai`, https://observability.mastra.ai (+17 more)
- domains: p.group, hono.dev, two.tf, seven.tf, t.global (+7 more)
- payloadFileHash: bb4d410ee151452843454ca0aaf3b103587513ccac425f954f88ae94709ab897
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | mastraqqq | all (affected) | — |
Aliases
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.