I won't discuss the businesses it affects publicly due to the nature.
US Primarily, but is multi-international potential.
The PoC will contain full workstation environment + files needed + proof of concept + a summary of the application reverse engineered for further analysis or understanding of everything.
This can be done / automated, but I will not provide code for this. I will however explain what you would need to accomplish for automated deployment.
The command execution itself, is treated as a XSS through a URL parameter. Once the target machine visits the link, the link will allow for quite a few abilities such as Registry read/write, File search/read/write, Process start and more.
I have video evidence of this + the complete workstation application(s) and scripts to prove it.
Affects at minimum 8000+ Locations.
Selling 1 copy of it only.
Middle man is welcomed to prove any claims. Only dealing with trust middle man, and only dealing on site.
I will be removing this thread shortly as I don't want to bring to much attention to it.
It's a supply chain attack, dealing within multiple businesses that were ranked, or are ranked on Fortune 500 business list.
Currently, the only thing as I mentioned before, this requires users to click a link for example, or visit a page with pointing towards the redirect or embedding an iframe .
The Vulnerability
The application loads a page from https://localhost and uses `eval()` on a URL parameter without validation:
An attacker can craft a URL that injects JavaScript. The code executes with the application’s privileges – often Administrator.
Why This Is Critical
- The embedded browser has no sandbox – it runs with full system rights.
- The application provides a local REST API that exposes operations like file access, process creation, registry modification, network downloads, and system shutdown.
- These APIs are unauthenticated – any request from `localhost` is blindly trusted.
A single crafted URL lets an attacker:
- Read any file (SSH keys, credentials, configs)
- Write malicious files to startup folders
- Launch executables (`calc.exe`, `cmd.exe`, malware)
- Add persistence via registry Run keys
- Reboot or shut down the machine
- Exfiltrate data silently
Simple Proof‑of‑Concept
The attacker sends a link like:
When the victim clicks it, the application runs the injected JavaScript, which calls the local API to launch `calc.exe` – silently and without any further interaction.
Why This Matters
This is not a typical XSS. It’s a direct path from a browser bug to full machine compromise. The attack is stealthy, persistent, and requires only one click.
Again, I accept MM . I will provide all proof of this working.
This only affects WINDOWS machines.
Don't miss on this.
again, ON SITE DEALS ONLY.
US Primarily, but is multi-international potential.
The PoC will contain full workstation environment + files needed + proof of concept + a summary of the application reverse engineered for further analysis or understanding of everything.
This can be done / automated, but I will not provide code for this. I will however explain what you would need to accomplish for automated deployment.
The command execution itself, is treated as a XSS through a URL parameter. Once the target machine visits the link, the link will allow for quite a few abilities such as Registry read/write, File search/read/write, Process start and more.
I have video evidence of this + the complete workstation application(s) and scripts to prove it.
Affects at minimum 8000+ Locations.
Selling 1 copy of it only.
Middle man is welcomed to prove any claims. Only dealing with trust middle man, and only dealing on site.
I will be removing this thread shortly as I don't want to bring to much attention to it.
It's a supply chain attack, dealing within multiple businesses that were ranked, or are ranked on Fortune 500 business list.
Currently, the only thing as I mentioned before, this requires users to click a link for example, or visit a page with pointing towards the redirect or embedding an iframe .
The Vulnerability
The application loads a page from https://localhost and uses `eval()` on a URL parameter without validation:
Code:
var userData = getQueryParam("state");
eval("var config = " + userData);An attacker can craft a URL that injects JavaScript. The code executes with the application’s privileges – often Administrator.
Why This Is Critical
- The embedded browser has no sandbox – it runs with full system rights.
- The application provides a local REST API that exposes operations like file access, process creation, registry modification, network downloads, and system shutdown.
- These APIs are unauthenticated – any request from `localhost` is blindly trusted.
A single crafted URL lets an attacker:
- Read any file (SSH keys, credentials, configs)
- Write malicious files to startup folders
- Launch executables (`calc.exe`, `cmd.exe`, malware)
- Add persistence via registry Run keys
- Reboot or shut down the machine
- Exfiltrate data silently
Simple Proof‑of‑Concept
The attacker sends a link like:
Code:
https://localhost/vulnerable/page.htm?state=(async function(){ await api.process.create('calc.exe'); })()When the victim clicks it, the application runs the injected JavaScript, which calls the local API to launch `calc.exe` – silently and without any further interaction.
Why This Matters
This is not a typical XSS. It’s a direct path from a browser bug to full machine compromise. The attack is stealthy, persistent, and requires only one click.
Again, I accept MM . I will provide all proof of this working.
This only affects WINDOWS machines.
Don't miss on this.
again, ON SITE DEALS ONLY.
![[Image: robinfinal.webp]](https://i.ibb.co/MfxzvWM/robinfinal.webp)
![[Image: Comp-3.gif]](https://i.ibb.co/K5qm5j7/Comp-3.gif)