VDB

GCVE-110-OSM-2026-7685

GCVE-110-OSM-2026-7685
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 10, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. ENTRY bin/cli.js (bin: bin/cli.js) PERSISTENCE - Cron Job Persistence in lib/persistence.js: "crontab -" DESTINATION - reconstructed: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.runtimedev.link</string> <key>ProgramArguments</key> <array> <string>${...}</string> <string>${...}</string> <string>--token</string> <string>${...}</string> </array> <key>WorkingDirectory</key> <string>${...}</string> <key>EnvironmentVariables</key> <dict> <key>HOME</key> <string>${...}</string> <key>SSTAR_API_BASE</key> <string>${...}</string> <key>SSTAR_DEPLOYMENT_HASH</key> <string>${...}</string> <key>NPM_CONFIG_YES</key> <string>true</string> </dict> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> <key>ThrottleInterval</key> <integer>30</integer> <key>StandardOutPath</key> <string>${...}</string> <key>StandardErrorPath</key> <string>${...}</string> </dict> </plist> (primary, reconstructed) EXFIL - Environment Variable Exfiltration in lib/transport.js: "process.env.SSTAR_PUBLIC_IP || '').trim(); if (envIp) return envIp; return publi..." - System Information Collection in lib/chrome_extensions.js: "process.platform" - System Information Collection in lib/enum.js: "os.hostname()" - System Information Collection in lib/exec.js: "process.platform" - System Information Collection in lib/fs_scan.js: "process.platform" - System Information Collection in lib/persistence.js: "os.userInfo()" - Network Request in lib/portable_runtime.js: "https.get(" - System Information Collection in lib/portable_runtime.js: "process.platform" (+1 more) OBFUSCATION - Dynamic Base64 Decoding in bin/cli.js: "Buffer.from(token, 'base64')" - Strings Extracted from Deobfuscated Code in bin/cli.js - recovered 1 urls from decoded/deobfuscated content ADDITIONAL FINDINGS - Stealth Background Process Spawning in lib/win_hidden.js: "spawn('wscript.exe', ['//B', vbsPath], { detached: true, stdio: 'ignore', window..." - Shell Command Execution in lib/exec.js: "require('child_process')" - Silent Process Execution in lib/exec.js: "windowsHide: true" - Suspicious URL Pattern in Template Literal in lib/persistence.js: "<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLI..." - Detached Child Process Payload in lib/win_hidden.js: "spawn('wscript.exe', ['//B', vbsPath], { detached: true" - Brand New Package PAYLOAD FILES lib/transport.js (+ lib/persistence.js, lib/portable_runtime.js) INDICATORS (IOCs) - payloadFileHash: f38f6533797ae59b428b8b383010145b6b6015bbe9473d493ed270db78fb3419

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchunk-parserall (affected)

References

advisory
vendor

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›