VDB
GCVE-110-OSM-2026-7118
GCVE-110-OSM-2026-7118
Advisory PublishedCVSS 9.6/10
This is an ad-injection/browser-hijacking package operated as an active campaign. The entrypoint `px.js` injects a fullscreen iframe overlay loading attacker-controlled content from `mfmz.syndagroup.cn/H.html?c=0gjr`, completely hijacking the victim browser viewport. The operational script `update_px8my.sh` exposes the attacker's full workflow: rotate the C2 domain in `px.js`, auto-increment the version, re-publish to npm, then purge jsDelivr CDN cache so the updated payload propagates to all cached consumers — a deliberate domain-rotation scheme to evade blocklists. The 25-version publish cadence over 13 days is consistent with this automated domain-rotation loop. The publisher `nianpm` has a 0.5 malicious ratio (sibling package `zhuanhua` already confirmed malicious in OSM), confirming a repeat threat actor running multiple malicious packages simultaneously.
ENTRY
px.js (main: px.js)
DESTINATION
- custom-c2: mfyz.gsmr06.cn (primary, plaintext) in update_px8my.sh
EXFIL
- Network Request in update_px8my.sh: "urllib.request.urlopen("
ADDITIONAL FINDINGS
- Publisher Has Other Malicious Packages
- Publisher Shows Burner-Account Pattern
PAYLOAD FILES
update_px8my.sh
INDICATORS (IOCs)
- domains: mfmz.syndagroup.cn
- payloadFileHash: 8aecc50ff22d1b075d75cf9c758c94eba81a7a29a2dcc3b9ff160e7c15bf0d8d
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | px8my | all (affected) | — |
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.