VDB
GCVE-110-OSM-2026-7685
GCVE-110-OSM-2026-7685
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code.
ENTRY
bin/cli.js (bin: bin/cli.js)
PERSISTENCE
- Cron Job Persistence in lib/persistence.js: "crontab -"
DESTINATION
- reconstructed: <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.runtimedev.link</string>
<key>ProgramArguments</key>
<array>
<string>${...}</string>
<string>${...}</string>
<string>--token</string>
<string>${...}</string>
</array>
<key>WorkingDirectory</key>
<string>${...}</string>
<key>EnvironmentVariables</key>
<dict>
<key>HOME</key>
<string>${...}</string>
<key>SSTAR_API_BASE</key>
<string>${...}</string>
<key>SSTAR_DEPLOYMENT_HASH</key>
<string>${...}</string>
<key>NPM_CONFIG_YES</key>
<string>true</string>
</dict>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>ThrottleInterval</key>
<integer>30</integer>
<key>StandardOutPath</key>
<string>${...}</string>
<key>StandardErrorPath</key>
<string>${...}</string>
</dict>
</plist>
(primary, reconstructed)
EXFIL
- Environment Variable Exfiltration in lib/transport.js: "process.env.SSTAR_PUBLIC_IP || '').trim(); if (envIp) return envIp; return publi..."
- System Information Collection in lib/chrome_extensions.js: "process.platform"
- System Information Collection in lib/enum.js: "os.hostname()"
- System Information Collection in lib/exec.js: "process.platform"
- System Information Collection in lib/fs_scan.js: "process.platform"
- System Information Collection in lib/persistence.js: "os.userInfo()"
- Network Request in lib/portable_runtime.js: "https.get("
- System Information Collection in lib/portable_runtime.js: "process.platform"
(+1 more)
OBFUSCATION
- Dynamic Base64 Decoding in bin/cli.js: "Buffer.from(token, 'base64')"
- Strings Extracted from Deobfuscated Code in bin/cli.js
- recovered 1 urls from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Stealth Background Process Spawning in lib/win_hidden.js: "spawn('wscript.exe', ['//B', vbsPath], { detached: true, stdio: 'ignore', window..."
- Shell Command Execution in lib/exec.js: "require('child_process')"
- Silent Process Execution in lib/exec.js: "windowsHide: true"
- Suspicious URL Pattern in Template Literal in lib/persistence.js: "<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLI..."
- Detached Child Process Payload in lib/win_hidden.js: "spawn('wscript.exe', ['//B', vbsPath], { detached: true"
- Brand New Package
PAYLOAD FILES
lib/transport.js (+ lib/persistence.js, lib/portable_runtime.js)
INDICATORS (IOCs)
- payloadFileHash: f38f6533797ae59b428b8b383010145b6b6015bbe9473d493ed270db78fb3419
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chunk-parser | all (affected) | — |
Aliases
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.