VDB
GCVE-110-OSM-2026-1864
GCVE-110-OSM-2026-1864
Advisory PublishedCVSS 8.8/10
Repository compromised by the PolinRider DPRK threat actor (Lazarus, Contagious Interview cluster). The malicious npm dependency '"tailwindcss-style-animate": "^1.1.6"' was found in client/package.json. This package is published by the PolinRider threat actor and contains the obfuscated JavaScript loader that fetches encrypted second-stage Beavertail payloads from blockchain dead-drops (TRON/Aptos/BSC). This repository is a victim of a weaponized take-home / fake-interview test project — developers who cloned and ran 'npm install' on this project had their machines infected. Part of the 'Contagious Interview' cluster previously tracked separately from PolinRider but now confirmed operationally merged.
Malicious npm dependency found in: client/package.json
package.json name: client; malicious dep: "tailwindcss-style-animate": "^1.1.6"
Package family: PolinRider / Contagious Interview malicious npm suite (tailwind-mainanimation, tailwind-autoanimation, tailwindcss-style-animate, etc.)
Behavior: npm postinstall / runtime trigger fetches obfuscated JS that performs blockchain dead-drop C2 (TRON/Aptos/BSC) and XOR-decrypts a Beavertail second-stage loader.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected) | — |
References
Malicious package:
advisory
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.