VDB
GCVE-110-OSM-2026-1901
GCVE-110-OSM-2026-1901
Advisory PublishedCVSS 9.6/10
PolinRider (DPRK) successful upstream infection. The postcss.config.mjs file on main branch contains the PolinRider obfuscated payload (signature: "rmcej%otb%",2857687, tag 8-1259). Payload was merged via PRs #98 and #99 (2026-04-03) by masudparvez2050 (MASUDUR RAHMAN), who is a developer at the Softvence Omega Dev Ninjas agency. The developer's machine appears to have been compromised by PolinRider, and their commits carried the payload into this client project repository.
=== CONFIRMED UPSTREAM INFECTION ===
Attack type: Insider (compromised developer) merge into non-fork org repo
Target repo: Softvence-Omega-Dev-Ninjas/tomerblackburn-frontend (0 stars, client project)
Merged PRs: https://github.com/Softvence-Omega-Dev-Ninjas/tomerblackburn-frontend/pull/98 , https://github.com/Softvence-Omega-Dev-Ninjas/tomerblackburn-frontend/pull/99
Merge date: 2026-04-03
=== PAYLOAD ===
Infected file: postcss.config.mjs (current main branch)
Signature: global['!']='8-1259'; var _$_1e42=(function(l,e){...})("rmcej%otb%",2857687)
Decoder: XORs/permutes the packed string to reconstruct a require() wrapper that resolves TRON blockchain C2 via trongrid.io calls, then pulls and executes a second-stage payload.
=== IMPACT ===
Stars: 0
This is a client project repository of a dev agency. Sibling repos in the org (diaz-florida-yacht-frontend, diaz-jupiter-marine-frontend) are also confirmed infected with the same pattern. Author masudparvez2050 has 105 public repos (2021-10-12 account) and appears to be a real developer whose machine was compromised by PolinRider.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected) | — |
References
Malicious package:
advisory
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.