VDB

GCVE-110-OSM-2026-89

GCVE-110-OSM-2026-89
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 5, 2026
This package implements a classic supply-chain backdoor: on install, postinstall.js POSTs system fingerprint data (platform, Node version, cwd, username) to an attacker-controlled C2 at sec5.bestlzk.cn/v2/report, then executes whatever shell command the server returns via exec(config.setup, {stdio:'ignore'}). The stdio:'ignore' suppression and the || exit 0 error swallowing are deliberate stealth measures. This is a remote-code-execution-on-install pattern consistent with dependency confusion or typosquatting attacks, where the attacker collects victim environment details and can push arbitrary follow-on payloads. The publisher also owns @bestlzk/xsstest, suggesting a deliberate multi-package malicious campaign rather than an accident. Entrypoint: postinstall.js (install-hook: node postinstall.js || exit 0) Exfil: sec5.bestlzk.cn (custom-c2, recovery: plaintext in postinstall.js) Payload: postinstall.js Key findings: - Install Hook Executes Local JS File in package.json: ""postinstall": "node postinstall.js || exit 0"" - Shell Command Execution in postinstall.js: "require('child_process')" - System Information Exfiltration in postinstall.js: "os.platform(), node: process.version, cwd: process.cwd(), user: os.u..." - HTTP Data Exfiltration in postinstall.js: "process.cwd(), user: os.userInfo().username }); const req = https.reque..." - Silent Process Execution in postinstall.js: "stdio: 'ignore'" IOCs: - domains: sec5.bestlzk.cn - payloadFileHash: ed960b44fbdcdc01ebb98fca7527d49356be3e065afe7f6ea037b17b12e44b21

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntransform-member-expression-literalsall (affected), all (affected), all (affected), all (affected), * (affected), * (affected), * (affected), * (affected)
unknown@zecho/baileys-mod* (affected)
unknown@bestlzk/sectestall (affected)
unknown@emilgroup/public-api-sdk-nodeall (affected), all (affected), all (affected), all (affected), all (affected), all (affected)
unknown@leafnoise/mirageall (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›