VDB

GCVE-110-OSM-2026-7118

GCVE-110-OSM-2026-7118
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 2, 2026
This is an ad-injection/browser-hijacking package operated as an active campaign. The entrypoint `px.js` injects a fullscreen iframe overlay loading attacker-controlled content from `mfmz.syndagroup.cn/H.html?c=0gjr`, completely hijacking the victim browser viewport. The operational script `update_px8my.sh` exposes the attacker's full workflow: rotate the C2 domain in `px.js`, auto-increment the version, re-publish to npm, then purge jsDelivr CDN cache so the updated payload propagates to all cached consumers — a deliberate domain-rotation scheme to evade blocklists. The 25-version publish cadence over 13 days is consistent with this automated domain-rotation loop. The publisher `nianpm` has a 0.5 malicious ratio (sibling package `zhuanhua` already confirmed malicious in OSM), confirming a repeat threat actor running multiple malicious packages simultaneously. ENTRY px.js (main: px.js) DESTINATION - custom-c2: mfyz.gsmr06.cn (primary, plaintext) in update_px8my.sh EXFIL - Network Request in update_px8my.sh: "urllib.request.urlopen(" ADDITIONAL FINDINGS - Publisher Has Other Malicious Packages - Publisher Shows Burner-Account Pattern PAYLOAD FILES update_px8my.sh INDICATORS (IOCs) - domains: mfmz.syndagroup.cn - payloadFileHash: 8aecc50ff22d1b075d75cf9c758c94eba81a7a29a2dcc3b9ff160e7c15bf0d8d

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpx8myall (affected)

References

vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›