VDB

GCVE-110-OSM-2026-1590

GCVE-110-OSM-2026-1590
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 9, 2026
react-native-template-my-starter@1.0.0 embeds a multi-stage obfuscated backdoor in babel.config.js that executes via the Function constructor when Babel loads the config file. The payload first hijacks global scope by assigning require and module to global[] using shuffle-obfuscated key names, giving the executed code full Node.js API access. It then constructs and executes anonymous functions from character-shuffled strings using Function.prototype.constructor (accessed as sfL['constructor'] where sfL is a local function), running a two-stage payload with a hardcoded seed token (2509). All attacker-controlled strings are protected by independent character-shuffle algorithms with seeds 2667686 and 2857687; the C2 endpoint and final payload behavior require runtime execution to recover. babel.config.js (SHA-256: 91551e62d316391a8a0e1e7df8c96ba11f15fe3cca0f082a897c586c67e55810) begins with a legitimate Babel config block (presets: ['module:@react-native/babel-preset'], plugins: ['module-resolver', 'react-native-worklets/plugin']), then appends malicious code in three phases. Phase 1: character-shuffle IIFE with seed 2857687 operating on 'rmcej%otb%' — result is used to set global[shuffled_key_0] = require and global[shuffled_key_2] = module, making Node.js APIs globally accessible. Phase 2: defines sfL() — a second character-shuffle function with seed 2667686 — then executes sfL('wuqktamceigynzbosdctpusocrjhrflovnxrt').substr(0, 11) to obtain the string 'constructor', uses sfL['constructor'] (= Function) to construct an anonymous function from a ~3KB character-shuffled payload string. Phase 3: executes the constructed function (xBg) with a second shuffled string argument, takes the return value (pYd), constructs another function via new Function('', pYd), and calls it with the integer argument 2509. The template is published via 'npx react-native init MyApp --template react-native-template-my-starter' — any developer who scaffolds a project and runs npm start or a build step triggers the payload.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownreact-native-template-my-starter1.0.0 (affected)

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›