VDB
GCVE-110-OSM-2026-7540
GCVE-110-OSM-2026-7540
Advisory PublishedCVSS 9.6/10
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution.
ENTRY
scripts/postinstall-clipboard-event.mjs (install-hook: node scripts/postinstall-clipboard-event.mjs && node scripts/ensure-dist.mjs && node scripts/postinstall-durable-materialize.mjs && node scripts/postinstall-bootstrap.mjs && node scripts/postinstall-agent.mjs)
- Install Hook Executes Local JS File in package.json
- Hidden NPM Install in scripts/ensure-dist.mjs
LOOT
- Cryptocurrency Wallet Theft in assets/secret_filename_patterns.json: "wallet.dat"
- Cryptocurrency Wallet Theft in dist/assets/secret_filename_patterns.json: "wallet.dat"
- Cryptocurrency Wallet Theft in dist/inputContext.js: "seed phrase"
- Cryptocurrency Wallet Theft in dist/secretScan/contentScanner.js: "seedPhrase"
- Cryptocurrency Wallet Theft in dist/secretScan/strictMaterialGate.d.ts: "MnemonicPhrase"
- Cryptocurrency Wallet Theft in dist/secretScan/strictMaterialGate.js: "MnemonicPhrase"
PERSISTENCE
- Startup Persistence in assets/files-explorer-template.html: ".bashrc"
- Startup Persistence in dist/assets/files-explorer-template.html: ".bashrc"
- Startup Persistence in dist/chromiumExtensionDbHarvest.js: ".profile"
- Startup Persistence in dist/fsProtocol.d.ts: ".profile"
- Startup Persistence in dist/fsProtocol.js: ".profile"
DESTINATION
- custom-c2: https://| (primary, plaintext) in assets/files-explorer-template.html
- custom-c2: http://| (plaintext) in assets/files-explorer-template.html
- custom-c2: http://127.0.0.1:… (plaintext) in assets/files-explorer-template.html
- custom-c2: https://relay:port/api/forge-jsxy-package.tgz` (plaintext) in dist/relayPackageServe.js
- custom-c2: https://a` (plaintext) in dist/relayServer.js
- custom-c2: http://api:8765 (plaintext) in dist/workerBootstrap.js
- custom-c2: http://212.193.3.61:9877 (plaintext) in scripts/windows-forge-diagnostics.ps1
- custom-c2: nvm.sh (plaintext) in assets/files-explorer-template.html
(+4 more)
EXFIL
- Corporate Environment Targeting in assets/files-explorer-template.html: "tMode(true); setGateSt"
- Corporate Environment Targeting in dist/assets/files-explorer-template.html: "tMode(true); setGateSt"
- Environment Variable Exfiltration in dist/autostart/agentEnvFile.js: "process.env.CFGMGR_HF_FETCH_FROM_RELAY ?? "").trim()) { process.env.CFGMGR_HF_FE..."
- Environment Variable Exfiltration in dist/discordRelayUpload.js: "process.env.RELAY_FORGE_DB_API_KEY || process.env.FORGE_DB_API_KEY || "").trim()..."
- Environment Variable Exfiltration in dist/extensionDbHfUpload.js: "process.env.FORGE_JS_AGENT_EXTENSION_DB_HF_UPLOAD || "1") .trim() .toLowerCase()..."
- Environment Variable Exfiltration in dist/hfUpload.js: "process.env.CFGMGR_HF_VERBOSE_ERRORS === "1") { return `${msg}\n${stack}`; } ret..."
- Environment Variable Exfiltration in dist/relayAgent.js: "process.env.CFGMGR_HF_FETCH"
- Environment Variable Exfiltration in dist/relayServer.js: "process.env.RELAY_FORGE_DB_API_KEY || process.env.FORGE_DB_API_KEY || "").trim()..."
(+60 more)
OBFUSCATION
- Dynamic Base64 Decoding in assets/files-explorer-template.html: "atob(m."
- Dynamic Base64 Decoding in assets/remote-control-template.html: "atob(rawB64)"
- Dynamic Base64 Decoding in dist/assets/files-explorer-template.html: "atob(m."
- Dynamic Base64 Decoding in dist/assets/remote-control-template.html: "atob(rawB64)"
- Dynamic Base64 Decoding in dist/deploymentDefaults.js: "Buffer.from(t, "base64")"
- Dynamic Base64 Decoding in dist/discordAgentScreenshot.js: "Buffer.from(rawB64, "base64")"
- Dynamic Base64 Decoding in dist/discordRelayUpload.js: "Buffer.from(b64, "base64")"
- Dynamic Base64 Decoding in dist/forgeBulkDc.js: "Buffer.from(b64, "base64")"
(+15 more)
ADDITIONAL FINDINGS
- Download Execute Delete Pattern in dist/autostart/darwin.js: "spawnSync)("launchctl", ["unload", plistPath()], { encoding: "utf-8", timeout: 2..."
- Chai-Max Wallet Theft Indicators in dist/secretScan/contentScanner.js: "Solana `keypair.json` / wallet"
- Stealth Background Process Spawning in scripts/forge-jsx-explorer-kill-agent.mjs: "spawn( process.execPath, [script, "--worker"], { detached: true, stdio: "ignore"..."
- Clipboard Access in assets/files-explorer-template.html: "navigator.clipboard.writeText"
- Shell Command Variable Setup in assets/files-explorer-template.html: "Windows legacy agents using cmd.exe for fs_shell_exec often return 4294967295 wi..."
- Platform Detection with Data Collection in assets/remote-control-template.html: "JSON.stringify({ type: "get_info" })); armAuthWatchdog(); }; ws.onclos"
(+5 more)
SECONDARY PACKAGES (hidden install)
- --include [OSM: clean] in scripts/ensure-dist.mjs
- --only [OSM: clean] in scripts/ensure-dist.mjs
PAYLOAD FILES
scripts/forge-jsx-explorer-upgrade.mjs (+ dist/relayServer.js, scripts/postinstall-agent.mjs)
INDICATORS (IOCs)
- domains: discordapp.com, canary.discordapp.com, ptb.discordapp.com
- payloadFileHash: 8cfee666023ff5be5031535d1c2e5cfe0760a1ffff6128a78dfddcc959d77873
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | zod-pino434 | all (affected) | — |
Aliases
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.