VDB
GCVE-110-OSM-2026-7113
GCVE-110-OSM-2026-7113
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, network activity.
ENTRY
bin/redgun.js (bin: ./bin/redgun.js)
PERSISTENCE
- Startup Persistence in src/core/session.js: ".profile"
DESTINATION
- custom-c2: http://169.254.169.254/latest/meta-data/ (primary, plaintext) in scan.js
- custom-c2: http://[::1 (plaintext) in scan.js
- custom-c2: http://metadata.google.internal/computeMetadata/v1/ (plaintext) in src/remote/advanced.js
- custom-c2: http://169.254.169.254/metadata/instance?api-version=2021-02-01 (plaintext) in src/remote/advanced.js
- custom-c2: http://[0:0:0:0:0:ffff:127.0.0.1 (plaintext) in src/remote/complete.js
- custom-c2: http://127.0.0.1.xip.io/ (plaintext) in src/remote/complete.js
- custom-c2: http://0.0.0.0/ (plaintext) in src/remote/complete.js
- custom-c2: http://http-redirector.burpcollaborator.net/redirect?target=http://169.254.169.254/ (plaintext) in src/remote/complete.js
(+7 more)
EXFIL
- Corporate Environment Targeting in src/local/xpath-ssi.js: "tmod|config)/gi, name: 'Server-Side Includes"
- OAST/Interactsh Exfiltration in src/remote/complete.js: "burpcollaborator.net"
- Sensitive File Access in src/remote/modern.js: ""/etc/passwd""
- OAST/Interactsh Exfiltration in src/remote/portswigger.js: "burpcollaborator.net"
- Data Encoding for Exfiltration in scan.js: "encodeURIComponent(payload"
- Git Configuration Access in src/core/advanced-features.js: ".git/config"
- Data Encoding for Exfiltration in src/core/repl.js: "encodeURIComponent(payload)}`, {}, 5000"
- Data Encoding for Exfiltration in src/core/session.js: "Buffer.from(`${profile.username}:${profile.password}`).toString('base64')"
(+11 more)
ADDITIONAL FINDINGS
- Dynamic Code Execution in src/local/access-control.js: "exec(content)"
- Shell Command Execution in src/local/dependencies.js: "execSync("
- Dangerous Function Calls in src/local/deserialization.js: "yaml.load("
- Rapid Version Publishing
PAYLOAD FILES
src/remote/complete.js (+ src/remote/modern.js, src/local/xpath-ssi.js)
INDICATORS (IOCs)
- domains: options.ci, d3js.org, d.group, jwt.io
- emails: target@victim.com
- payloadFileHash: 9cf02a5957cce7d48160b5bab8f8be16cc1155cb7fd363f5e429a93b659e82a8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | redgun-security | 4.0.0 (affected) | — |
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.