VDB

GCVE-110-OSM-2026-1864

GCVE-110-OSM-2026-1864
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published February 6, 2026
Repository compromised by the PolinRider DPRK threat actor (Lazarus, Contagious Interview cluster). The malicious npm dependency '"tailwindcss-style-animate": "^1.1.6"' was found in client/package.json. This package is published by the PolinRider threat actor and contains the obfuscated JavaScript loader that fetches encrypted second-stage Beavertail payloads from blockchain dead-drops (TRON/Aptos/BSC). This repository is a victim of a weaponized take-home / fake-interview test project — developers who cloned and ran 'npm install' on this project had their machines infected. Part of the 'Contagious Interview' cluster previously tracked separately from PolinRider but now confirmed operationally merged. Malicious npm dependency found in: client/package.json package.json name: client; malicious dep: "tailwindcss-style-animate": "^1.1.6" Package family: PolinRider / Contagious Interview malicious npm suite (tailwind-mainanimation, tailwind-autoanimation, tailwindcss-style-animate, etc.) Behavior: npm postinstall / runtime trigger fetches obfuscated JS that performs blockchain dead-drop C2 (TRON/Aptos/BSC) and XOR-decrypts a Beavertail second-stage loader.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected)

References

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›