VDB

GCVE-110-OSM-2026-7140

GCVE-110-OSM-2026-7140
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published July 2, 2026
Git Warden confirmed this GitHub repository as malicious through static analysis of its source code, which means the repository was read and never executed. The malicious code was found in the file src/routes/adminRoutes.js around line 685. A part of the code is hidden inside an obfuscated, base64 encoded blob that the program decodes and then runs while it loads. Hiding code this way is how this family of malware slips past a quick human read and past simple scanners, and there is no honest reason for an ordinary project file to decode and run content like this. When the hidden blob in this repository was decoded and read, it was found to rewrite the Node module loading system and to unpack a further concealed stage, which proves the content is a working loader and not harmless data. An ordinary, trustworthy project would not contain this, so the finding is a strong and dependable indication that the repository was either compromised or was built from the start to deliver malware to anyone who clones or installs it. The exact file, the line number, and the detection rule that matched are included in the evidence reference so a reviewer can open the repository and confirm all of it independently. The obfuscated eval(atob(...)) loader injected into a build configuration file is the same tradecraft the DPRK-attributed 'Contagious Interview' campaign uses to hide a second-stage payload inside otherwise-normal project files. The malicious payload is located in src/routes/adminRoutes.js at line 685. A part of the code is hidden inside an obfuscated, base64 encoded blob that the program decodes and then runs while it loads. Hiding code this way is how this family of malware slips past a quick human read and past simple scanners, and there is no honest reason for an ordinary project file to decode and run content like this. During analysis the encoded blob was decoded and read. The first stage rewrites the Node module loading functions and then unpacks another hidden stage, so the content is an active multi stage loader and not inert data. The same repository also triggered these additional detections: code_execution, obfuscation.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected)

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›