Critical Flaw in Protobuf.js Library Enables JavaScript Code Execution: Analyzing Software Supply Chain and N-Day Vulnerabilities
Introduction
A critical flaw in the Protobuf library enables JavaScript code execution, posing a significant threat within the software supply chain. This vulnerability, tracked as GHSA-xq3m-2v4x-88gg, shows the persistent risks associated with open-source component usage and the potential for unvalidated inputs to lead to severe compromises. Such incidents join software supply chain weaknesses that require diligent monitoring and proactive defense.
This report examines this specific RCE vulnerability in protobuf.js, recent campaigns involving malicious npm packages, and the active exploitation of N-day vulnerabilities like CVE-2025-0520 in ShowDoc. These events collectively show a dynamic threat environment where both newly discovered and previously patched weaknesses present pathways for compromise. Understanding these attack vectors is essential for maintaining strong cybersecurity and mitigating risk across organizational infrastructures.
The recurring theme across these security incidents is the exploitation of trust: trust in widely used libraries and public package registries, plus the patching of known vulnerabilities. As organizations increasingly rely on complex software ecosystems, full visibility and timely threat intelligence become essential for identifying and mitigating exposure to such widespread and impactful threats.
Critical Flaw in Protobuf.js Library Enables JavaScript Code Execution
What is the GHSA-xq3m-2v4x-88gg vulnerability in Protobuf.js?
The GHSA-xq3m-2v4x-88gg vulnerability is a remote code execution (RCE) flaw identified in protobuf.js, a JavaScript implementation of Google's Protocol Buffers. This critical weakness permits an attacker to inject and execute arbitrary code by using unsafe dynamic code generation within the library.
The protobuf.js library is a dependency in nearly 50 million weekly downloads via the Node Package Manager (npm) registry. It is widely used in inter-service communication, real-time applications, efficient data storage, and cloud environments. Its pervasive use amplifies the potential impact of this RCE vulnerability across numerous applications and services globally.
The RCE is caused by protobuf.js's method of building JavaScript functions from protobuf schemas. The library concatenates strings and executes them using the Function() constructor, but it fails to validate schema-derived identifiers, specifically message names. An attacker can exploit this by supplying a malicious schema that injects arbitrary code into the generated function.
This injected code is subsequently executed when the application processes a message using the compromised schema. Successful exploitation could grant an attacker extensive access, including to environment variables, credentials, databases, and internal systems, potentially facilitating lateral movement within the infrastructure. Developer machines loading and decoding untrusted schemas locally are also vulnerable to this attack.
The flaw affects protobuf.js versions 8.0.0/7.5.4 and lower. Security researchers at Endor Labs reported the vulnerability on March 2. Maintainers released a patch on GitHub on March 11, followed by npm package fixes on April 4 for the 8.x branch and April 15 for the 7.x branch. Endor Labs has stated that "exploitation is straightforward," and a minimal proof-of-concept (PoC) is included in the security advisory; however, no active exploitation in the wild has been observed as of April 18, 2026.
How can organizations mitigate the protobuf.js RCE vulnerability?
Organizations can mitigate the protobuf.js RCE vulnerability by upgrading to versions 8.0.1 and 7.5.5 or higher, which include a patch to sanitize type names. The patch strips non-alphanumeric characters, preventing attackers from manipulating the synthetic function. A recommended longer-term fix involves redesigning the library to avoid round-tripping attacker-reachable identifiers through the Function() constructor entirely.
Beyond immediate patching, Endor Labs advises system administrators to audit transitive dependencies within their projects to identify all instances of protobuf.js. It is critical to treat all schema-loading operations as untrusted input and to prefer precompiled or static schemas in production environments. This approach can reduce the attack surface and prevent dynamic code injection.
This incident shows the need for strong supply-chain risk monitoring as a core component of cyber threat intelligence platforms. Regularly scanning and validating third-party libraries for known vulnerabilities, even those without an official CVE, is essential for maintaining software integrity. Organizations can also use tools to detect anomalies in package behavior, protecting against similar future supply chain attacks.
Malicious npm Packages: The ixpresso-core RAT Campaign
What is the ixpresso-core RAT campaign and its associated malicious packages?
The ixpresso-core RAT campaign involved the publication of a Windows Remote Access Trojan (RAT) disguised as a "Personal AI System Agent - Control your device via WhatsApp" on npm. This malicious package, along with godsplan and eyevox, were published by the loltestpad account within a 48-hour window on April 14, 2026.
The loltestpad account, created on 2026-04-14, used a temporary mail service domain, opemails.com, indicating a likely attempt to conceal the attacker's identity. The packages were quickly iterated through, with ixpresso-core seeing three versions (v1.0.0-v1.0.2) in under 40 minutes, including the removal of a pre-built executable and later additions like a PowerShell fallback for FFmpeg download and a Cloudflare tunnel.
The malware, internally named Veltrix, is a purpose-built Windows RAT designed for full data exfiltration and remote control. Its deployment does not rely on a postinstall hook; instead, it positions itself as a developer utility that the victim executes directly. The bin/ixpresso.js launcher spawns the main payload with detached: true, stdio: 'ignore', and windowsHide: true, then unrefs the child process and exits, making the execution appear clean from the terminal.
What are the capabilities and impact of the Veltrix RAT?
The Veltrix RAT implements extensive credential theft, surveillance, and remote control capabilities, posing a severe risk to infected systems. Upon execution, it performs several critical actions:
- Credential Theft:
- Extracts all saved passwords, cookies, and credit card numbers from Chrome, Brave, and Edge browsers via Windows DPAPI.
- Rips Discord authentication tokens from LevelDB storage across Discord, Discord Canary, Discord PTB, and Chrome profiles. Both plaintext and v10 DPAPI-encrypted tokens are targeted and decrypted.
- Exfiltrates the Telegram
tdatasession folder (if under 24 MB), which grants full account access without the user's password. Telegram threat monitoring is crucial for detecting such activity. - Scans Desktop, Documents, and Downloads for files under 2 MB matching keywords like
wallet,seed,phrase,password,secret,crypto,backup,metamask, andphantom. These files are zipped and exfiltrated, targeting cryptocurrency assets.
- Persistence and Evasion:
- Establishes persistence via a Windows Scheduled Task named
WindowsHealthMonitor, configured to trigger at every logon. - Shadows the Node runtime by copying itself as
WebSecureSystem.exeinto%APPDATA%\Microsoft\Windows\Protect\, a legitimate directory used by Windows DPAPI. - Creates a firewall inbound rule named "Windows Security Handler" on TCP port 3000 for the Node executable, allowing external access.
- Executes PowerShell commands via
-EncodedCommandto prevent sleep/away mode and hide the console window (ShowWindow(hWnd, 0)).
- Surveillance:
- Activates a system-wide keylogger via
uiohook-napi, flushing the live keystream to a Discord webhook and an MQTT broker in real time. - Monitors the clipboard every 15 seconds.
- Triggers automatic screenshots when the foreground window matches
chrome,msedge,opera,banking,login,password,discord, ortelegram, ensuring visual capture of sensitive activities.
- Remote Control:
- Establishes an authenticated remote control dashboard accessible over the internet via a Cloudflare tunnel. The default master password for the dashboard is
admin123. - Offers a WebSocket API for live remote desktop streaming (using FFmpeg), mouse and keyboard injection, and webcam/microphone access.
- Provides an HTTP API for arbitrary PowerShell execution (
POST /api/shell/exec), full filesystem access (list, download, upload, delete any path), process listing and killing, on-demand credential harvesting, webcam snapshots, 10-second audio capture, and a self-destruct function (POST /api/elite/purge) to wipe its presence.
The attacker's operational security mistakes provided substantial underground forum intelligence for analysis. The package included 64 PNG screenshots from the attacker's own testing machine in the public/screenshots/ directory, showing their own exfiltrated data (e.g., 94 passwords, 2 credit cards, 16 autofill entries, 118 passwords, 125 cookies). The attacker's browser autocomplete history also revealed the default master password (admin123) in plain text and confirmed local development using VS Code Live Server. The presence of RFIHUB.COM in exfiltrated cookies further provides insight into potential attacker interests.
What are the indicators of compromise (IoCs) for the ixpresso-core campaign and how to respond?
Key indicators of compromise (IoCs) for the ixpresso-core RAT campaign include specific package names, npm maintainer details, C2 infrastructure, and file system artifacts.
IoCs Summary:
- Packages:
ixpresso-core(v1.0.0-v1.0.2),godsplan(v1.0.2-v1.0.8),eyevox(v2.1.4-v2.1.11) - npm maintainer:
loltestpad - Maintainer email:
opemails.com(temporary mail service) - Discord C2 webhook:
hxxps://discord[.]com/api/webhooks/1486877933300617247/...(Still active as of this report) - Discord bot:
Captain Hook(guild1480992515933868257, channel#system) - MQTT broker:
broker.hivemq.com:1883 - MQTT topic:
veltrix/signals/VELTRIX-SIGNAL-KEY-SET - Stealth executable:
%APPDATA%\Microsoft\Windows\Protect\WebSecureSystem.exe - Scheduled task:
WindowsHealthMonitor(AtLogOn) - Firewall rule:
Windows Security Handler(TCP 3000, inbound,node.exe) - Tunnels:
*.trycloudflare.com,ap.a.pinggy.io:443,localhost.run:22 - Attacker hostname (observed in C2 embeds):
LAPTOP-TQQFE0GQ
Organizations that have used ixpresso-core, godsplan, or eyevox packages should consider any affected systems as compromised. Immediate actions include:
- Credential Rotation: Rotate all passwords stored in Chrome, Brave, and Edge.
- Token Revocation: Revoke all Discord authentication tokens.
- Session Wipe: Clear Telegram sessions from the affected machine.
- System Audit: Check Windows Task Scheduler for
WindowsHealthMonitorand inspect%APPDATA%\Microsoft\Windows\Protect\forWebSecureSystem.exe. Also check forWebMediaWorker.exe(FFmpeg binary) andWebSecureLink.exe(Cloudflared binary) in%APPDATA%\Microsoft\Windows\Protect\Support\. - Firewall Rule Review: Look for the "Windows Security Handler" inbound rule.
The npm registry has removed all three packages. The active Discord webhook and the presence of a #apk channel in the attacker's Discord server suggest potential plans for an Android variant, indicating that this campaign may continue beyond npm. Utilizing dark web monitoring services and credential intelligence solutions can provide proactive alerts for such emerging threats and exfiltrated data. For deeper analysis and automated checks, tools like vet can flag packages from newly created accounts before installation, enhancing supply-chain risk monitoring.
N-Day Exploits: ShowDoc CVE-2025-0520 Under Active Attack
What is the ShowDoc vulnerability and its current exploitation status?
The ShowDoc vulnerability, tracked as CVE-2025-0520, is an unrestricted file upload flaw with a high CVSS score of 9.4 out of 10. This vulnerability, which was patched over five years ago in October 2020 (version 2.8.7), is now being actively exploited. ShowDoc is a document management tool popular among IT teams, particularly in China.
The flaw occurs when the system fails to validate the type of files users upload. This oversight permits attackers to upload malicious PHP files containing web shells to the server without requiring any authentication. Once uploaded, these web shells can enable remote code execution (RCE), allowing an unauthorized individual to run commands remotely and potentially achieve a full server takeover.
Despite being patched in 2020, many ShowDoc instances remain unupdated, making them susceptible to these attacks. Reports indicate that hackers are actively exploiting CVE-2025-0520 globally. A US-based canary, intentionally running an old version of ShowDoc, detected an exploitation attempt where a web shell was dropped.
There are over 2,000 instances of ShowDoc visible on the internet, with a significant concentration in China. This widespread presence of unpatched systems provides a substantial attack surface. The active exploitation of this five-year-old vulnerability shows the ongoing challenge of N-day vulnerabilities, which are known bugs that persist due to delayed patching. Effective breach detection strategies and external intelligence are crucial for organizations to understand their exposure to such long-standing, yet dangerous, threats.
The Broader Context: Nation-State Hacking and Future Cyber Warfare
How do current cybersecurity incidents fit into the global context of cyber warfare?
Current cybersecurity incidents, such as the protobuf.js RCE, malicious npm packages, and N-day exploits like ShowDoc, are tactical engagements within a broader context of cyber warfare and nation-state activities. These individual events reflect the constant probing and exploitation by various actors, including nation-states and criminal groups, who use vulnerabilities to achieve their objectives.
Allie Mellen's book, "Code War: How Nations Hack, Spy, and Shape the Digital Battlefield," provides a framework for understanding these events. Mellen explains that cyberattacks are not random but calculated actions designed to achieve state objectives, informed by military doctrine, national history, and geopolitical strategy. The exploitation of software supply chains and N-day vulnerabilities provides low-cost, high-impact entry points for intelligence gathering, disruption, or establishing persistent access.
The book details how nations like China, Russia, and the United States deploy cyber capabilities in unique ways, with examples such as Stuxnet, WannaCry, NotPetya, and campaigns targeting elections or critical infrastructure. These state-sponsored operations often rely on the very same types of vulnerabilities and attack vectors seen in criminal enterprises, blurring the lines between cybercrime and cyber espionage. The ixpresso-core campaign, while attributed to a "loltestpad" account, showcases sophisticated credential theft and remote control capabilities that could be adapted for state-level intelligence gathering or reconnaissance.
Looking forward, Mellen details the transformative role of AI, which she calls "The Fourth Power." She posits that AI providers can craft realities, leading to a world where "reality no longer exists" and where the "battle for believability" becomes central. This future scenario suggests that cybersecurity will extend beyond protecting data integrity to safeguarding perceived truth. In this context, full cyber threat intelligence platforms that integrate dark web monitoring services and underground forum intelligence will be critical for understanding how adversaries plan to manipulate information and exploit systems. The increasing focus on data and influencing worldviews shows why organizations and individuals must demand greater accountability from governments and technology companies regarding digital security and privacy.
Technical Takeaways
- Patch Promptly: Prioritize patching known vulnerabilities, even those years old, like ShowDoc's CVE-2025-0520, as N-day exploits remain actively targeted by threat actors globally.
- Audit Software Supply Chain: Implement continuous supply-chain risk monitoring to identify and address vulnerabilities in third-party libraries such as
protobuf.js(GHSA-xq3m-2v4x-88gg) and to detect malicious packages in registries like npm. - Validate Inputs Rigorously: Treat all external inputs, including protobuf schemas and schema-derived identifiers, as untrusted to prevent dynamic code injection and remote code execution vulnerabilities.
- Enhance Endpoint Protection: Deploy advanced breach detection capabilities and endpoint security to identify persistence mechanisms, credential theft, and surveillance activities characteristic of RATs like Veltrix (from
ixpresso-core). - Monitor for Exfiltrated Data: Use credential intelligence and brand leak alerting services to detect compromised credentials (browser passwords, Discord tokens, Telegram sessions) and other sensitive data exfiltrated from infected systems.