VDB

GCVE-110-OSM-2026-7102

GCVE-110-OSM-2026-7102
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 2, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. ENTRY dist/index.js (bin: ./dist/index.js) DESTINATION - reconstructed: http://localhost:4111/api/system/api-schema (primary, reconstructed) in dist/index.js - custom-c2: css.global (deobfuscated) in dist/studio/assets/estree-CRgMSIiv.js - custom-c2: https://mastra.ai/api/templates.json (plaintext) in dist/chunk-4EG3WFWR.js - custom-c2: https://platform.mastra.ai (plaintext) in dist/chunk-4EG3WFWR.js - custom-c2: https://projects.mastra.ai (plaintext) in dist/chunk-4EG3WFWR.js - custom-c2: https://mastra.ai/docs/studio/overview (plaintext) in dist/chunk-4EG3WFWR.js - custom-c2: https://mastra.ai/docs/ (plaintext) in dist/chunk-4EG3WFWR.js - custom-c2: https://mastra.ai/docs/agents/overview (plaintext) in dist/chunk-4EG3WFWR.js (+22 more) EXFIL - Environment Variable Exfiltration in dist/chunk-4EG3WFWR.js: "process.env.MASTRA_TEMPLATES_API_URL || "https://mastra.ai/api/templates.json"; ..." - Environment Variable Exfiltration in dist/chunk-NGAJT6UU.js: "process.env.CI; } async function resolveCurrentOrg(token, opts = {}) { const org..." - Environment Variable Exfiltration in dist/index.js: "process.env.MASTRA_ORG_ID; if (envOrgId) { return { orgId: envOrgId, orgName: en..." - Corporate Environment Targeting in dist/index.js: "tMode: false, // Set to true for exact single tool match" - Corporate Environment Targeting in dist/studio/assets/engine-compile-BkERmzkH.js: "tModX()){const o=t.indexOf(` `,s);return{lastIndex:o===-1?t.length:o}}if(/^\s$/...." - Data Encoding for Exfiltration in dist/chunk-NGAJT6UU.js: "encodeURIComponent(inputData.city)}&count=1" - HTTP Data Exfiltration in dist/index.js: "process.cwd()); const latestDeploy = getLatestProjectDeploy( (await fetch" - Data Encoding for Exfiltration in dist/index.js: "encodeURIComponent(value" (+4 more) OBFUSCATION - IOCs Found in Deobfuscated Code in dist/studio/assets/estree-CRgMSIiv.js - Unicode Escape Obfuscation in dist/chunk-NGAJT6UU.js: "\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u..." - String Array Obfuscation in dist/studio/assets/babel-CmeIX3PZ.js: "["break","case","catch","continue","debugger","default","do","else","finally","f..." - String Array Obfuscation in dist/studio/assets/core-Cp2Ep0UF.js: "["AElig","AMP","Aacute","Acirc","Agrave","Aring","Atilde","Auml","COPY","Ccedil"..." - Unicode Escape Obfuscation in dist/studio/assets/estree-CRgMSIiv.js: "\u203C\u2049\u2122\u2139\u2194" - String Array Obfuscation in dist/studio/assets/markdown-UIAJJxZW.js: "["css","html","ini","java","lua","make","perl","r","ruby","php","sql","vb","xml"..." - String Array Obfuscation in dist/studio/assets/shell-CjFT_Tl9.js: "["ab","awk","bash","beep","cat","cc","cd","chown","chmod","chroot","clear","cp",..." - String Array Obfuscation in dist/studio/assets/standalone-BioU5qLH.js: "["break","case","catch","continue","debugger","default","do","else","finally","f..." (+6 more) ADDITIONAL FINDINGS - Download Execute Delete Pattern in dist/chunk-4EG3WFWR.js: "exec(gitCommand, { cwd: process.cwd() }); const gitDir = path.join(targetPath, "..." - Reconstructed Obfuscated URL in dist/index.js: "http://localhost:4111/api/system/api-schema" - Shell Command Variable Setup in dist/chunk-EXG3XKBK.js: "win32") { execFileSync("cmd", ["/c", "start", "", url]); } else if (isWSL()) { e..." - Silent Process Execution in dist/chunk-NGAJT6UU.js: "stdio: "ignore"" - Platform Detection with Data Collection in dist/chunk-NGAJT6UU.js: "JSON.stringify({ distinctId, sessionId })); } catch { } } initializePostHog(apiK..." - Shell Command Execution in dist/index.js: "execSync(" (+3 more) PAYLOAD FILES dist/index.js (+ dist/chunk-NGAJT6UU.js, dist/studio/assets/estree-CRgMSIiv.js) INDICATORS (IOCs) - ipv6: e::, B:B:B:B:B:B:B:B, 8::, DDFF::, 2:: (+1 more) - urls: http://0.0.0.0:3000, https://mastra.ai/reference/cli/mastra, https://mastra.ai\, https://observability.mastra.ai`, https://observability.mastra.ai (+17 more) - domains: p.group, hono.dev, two.tf, seven.tf, t.global (+7 more) - payloadFileHash: bb4d410ee151452843454ca0aaf3b103587513ccac425f954f88ae94709ab897

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownmastraqqqall (affected)

References

advisory
vendor

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›