VDB

GCVE-110-OSM-2026-7113

GCVE-110-OSM-2026-7113
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 30, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, network activity. ENTRY bin/redgun.js (bin: ./bin/redgun.js) PERSISTENCE - Startup Persistence in src/core/session.js: ".profile" DESTINATION - custom-c2: http://169.254.169.254/latest/meta-data/ (primary, plaintext) in scan.js - custom-c2: http://[::1 (plaintext) in scan.js - custom-c2: http://metadata.google.internal/computeMetadata/v1/ (plaintext) in src/remote/advanced.js - custom-c2: http://169.254.169.254/metadata/instance?api-version=2021-02-01 (plaintext) in src/remote/advanced.js - custom-c2: http://[0:0:0:0:0:ffff:127.0.0.1 (plaintext) in src/remote/complete.js - custom-c2: http://127.0.0.1.xip.io/ (plaintext) in src/remote/complete.js - custom-c2: http://0.0.0.0/ (plaintext) in src/remote/complete.js - custom-c2: http://http-redirector.burpcollaborator.net/redirect?target=http://169.254.169.254/ (plaintext) in src/remote/complete.js (+7 more) EXFIL - Corporate Environment Targeting in src/local/xpath-ssi.js: "tmod|config)/gi, name: 'Server-Side Includes" - OAST/Interactsh Exfiltration in src/remote/complete.js: "burpcollaborator.net" - Sensitive File Access in src/remote/modern.js: ""/etc/passwd"" - OAST/Interactsh Exfiltration in src/remote/portswigger.js: "burpcollaborator.net" - Data Encoding for Exfiltration in scan.js: "encodeURIComponent(payload" - Git Configuration Access in src/core/advanced-features.js: ".git/config" - Data Encoding for Exfiltration in src/core/repl.js: "encodeURIComponent(payload)}`, {}, 5000" - Data Encoding for Exfiltration in src/core/session.js: "Buffer.from(`${profile.username}:${profile.password}`).toString('base64')" (+11 more) ADDITIONAL FINDINGS - Dynamic Code Execution in src/local/access-control.js: "exec(content)" - Shell Command Execution in src/local/dependencies.js: "execSync(" - Dangerous Function Calls in src/local/deserialization.js: "yaml.load(" - Rapid Version Publishing PAYLOAD FILES src/remote/complete.js (+ src/remote/modern.js, src/local/xpath-ssi.js) INDICATORS (IOCs) - domains: options.ci, d3js.org, d.group, jwt.io - emails: target@victim.com - payloadFileHash: 9cf02a5957cce7d48160b5bab8f8be16cc1155cb7fd363f5e429a93b659e82a8

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownredgun-security4.0.0 (affected)

References

vendor

Browse GCVE Records

73,196 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›