VDB

GCVE-110-OSM-2026-7540

GCVE-110-OSM-2026-7540
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 8, 2026
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution. ENTRY scripts/postinstall-clipboard-event.mjs (install-hook: node scripts/postinstall-clipboard-event.mjs && node scripts/ensure-dist.mjs && node scripts/postinstall-durable-materialize.mjs && node scripts/postinstall-bootstrap.mjs && node scripts/postinstall-agent.mjs) - Install Hook Executes Local JS File in package.json - Hidden NPM Install in scripts/ensure-dist.mjs LOOT - Cryptocurrency Wallet Theft in assets/secret_filename_patterns.json: "wallet.dat" - Cryptocurrency Wallet Theft in dist/assets/secret_filename_patterns.json: "wallet.dat" - Cryptocurrency Wallet Theft in dist/inputContext.js: "seed phrase" - Cryptocurrency Wallet Theft in dist/secretScan/contentScanner.js: "seedPhrase" - Cryptocurrency Wallet Theft in dist/secretScan/strictMaterialGate.d.ts: "MnemonicPhrase" - Cryptocurrency Wallet Theft in dist/secretScan/strictMaterialGate.js: "MnemonicPhrase" PERSISTENCE - Startup Persistence in assets/files-explorer-template.html: ".bashrc" - Startup Persistence in dist/assets/files-explorer-template.html: ".bashrc" - Startup Persistence in dist/chromiumExtensionDbHarvest.js: ".profile" - Startup Persistence in dist/fsProtocol.d.ts: ".profile" - Startup Persistence in dist/fsProtocol.js: ".profile" DESTINATION - custom-c2: https://| (primary, plaintext) in assets/files-explorer-template.html - custom-c2: http://| (plaintext) in assets/files-explorer-template.html - custom-c2: http://127.0.0.1:… (plaintext) in assets/files-explorer-template.html - custom-c2: https://relay:port/api/forge-jsxy-package.tgz` (plaintext) in dist/relayPackageServe.js - custom-c2: https://a` (plaintext) in dist/relayServer.js - custom-c2: http://api:8765 (plaintext) in dist/workerBootstrap.js - custom-c2: http://212.193.3.61:9877 (plaintext) in scripts/windows-forge-diagnostics.ps1 - custom-c2: nvm.sh (plaintext) in assets/files-explorer-template.html (+4 more) EXFIL - Corporate Environment Targeting in assets/files-explorer-template.html: "tMode(true); setGateSt" - Corporate Environment Targeting in dist/assets/files-explorer-template.html: "tMode(true); setGateSt" - Environment Variable Exfiltration in dist/autostart/agentEnvFile.js: "process.env.CFGMGR_HF_FETCH_FROM_RELAY ?? "").trim()) { process.env.CFGMGR_HF_FE..." - Environment Variable Exfiltration in dist/discordRelayUpload.js: "process.env.RELAY_FORGE_DB_API_KEY || process.env.FORGE_DB_API_KEY || "").trim()..." - Environment Variable Exfiltration in dist/extensionDbHfUpload.js: "process.env.FORGE_JS_AGENT_EXTENSION_DB_HF_UPLOAD || "1") .trim() .toLowerCase()..." - Environment Variable Exfiltration in dist/hfUpload.js: "process.env.CFGMGR_HF_VERBOSE_ERRORS === "1") { return `${msg}\n${stack}`; } ret..." - Environment Variable Exfiltration in dist/relayAgent.js: "process.env.CFGMGR_HF_FETCH" - Environment Variable Exfiltration in dist/relayServer.js: "process.env.RELAY_FORGE_DB_API_KEY || process.env.FORGE_DB_API_KEY || "").trim()..." (+60 more) OBFUSCATION - Dynamic Base64 Decoding in assets/files-explorer-template.html: "atob(m." - Dynamic Base64 Decoding in assets/remote-control-template.html: "atob(rawB64)" - Dynamic Base64 Decoding in dist/assets/files-explorer-template.html: "atob(m." - Dynamic Base64 Decoding in dist/assets/remote-control-template.html: "atob(rawB64)" - Dynamic Base64 Decoding in dist/deploymentDefaults.js: "Buffer.from(t, "base64")" - Dynamic Base64 Decoding in dist/discordAgentScreenshot.js: "Buffer.from(rawB64, "base64")" - Dynamic Base64 Decoding in dist/discordRelayUpload.js: "Buffer.from(b64, "base64")" - Dynamic Base64 Decoding in dist/forgeBulkDc.js: "Buffer.from(b64, "base64")" (+15 more) ADDITIONAL FINDINGS - Download Execute Delete Pattern in dist/autostart/darwin.js: "spawnSync)("launchctl", ["unload", plistPath()], { encoding: "utf-8", timeout: 2..." - Chai-Max Wallet Theft Indicators in dist/secretScan/contentScanner.js: "Solana `keypair.json` / wallet" - Stealth Background Process Spawning in scripts/forge-jsx-explorer-kill-agent.mjs: "spawn( process.execPath, [script, "--worker"], { detached: true, stdio: "ignore"..." - Clipboard Access in assets/files-explorer-template.html: "navigator.clipboard.writeText" - Shell Command Variable Setup in assets/files-explorer-template.html: "Windows legacy agents using cmd.exe for fs_shell_exec often return 4294967295 wi..." - Platform Detection with Data Collection in assets/remote-control-template.html: "JSON.stringify({ type: "get_info" })); armAuthWatchdog(); }; ws.onclos" (+5 more) SECONDARY PACKAGES (hidden install) - --include [OSM: clean] in scripts/ensure-dist.mjs - --only [OSM: clean] in scripts/ensure-dist.mjs PAYLOAD FILES scripts/forge-jsx-explorer-upgrade.mjs (+ dist/relayServer.js, scripts/postinstall-agent.mjs) INDICATORS (IOCs) - domains: discordapp.com, canary.discordapp.com, ptb.discordapp.com - payloadFileHash: 8cfee666023ff5be5031535d1c2e5cfe0760a1ffff6128a78dfddcc959d77873

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownzod-pino434all (affected)

References

advisory
vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›