VDB
GCVE-110-OSM-2026-2133
GCVE-110-OSM-2026-2133
Advisory PublishedCVSS 5.4/10
PolinRider DPRK malware payload appended to config file (babel.config.js) in developer's own repo. Confirmed signatures: rmcej%otb% and global['!']/_$_1e42 obfuscation builder. Connects to TRON blockchain C2 via trongrid.io. Victim's GitHub credentials likely compromised.
=== POLINRIDER PAYLOAD (Category A — victim developer repo) ===
Attack type: PolinRider config-file injection (DPRK)
Victim repo: KelvinTechies/mobileReactBanking
Infected file(s): babel.config.js
=== SIGNATURES VERIFIED ===
Primary: ("rmcej%otb%",2857687)
Secondary: global['!']='X-X-X';var _$_1e42=
Builder variant key: wuqktamceigynzbosdctpusocrjhrflovnxrt
=== BEHAVIOR ===
Heavily obfuscated JS payload appended to legitimate config file.
Calls require() and child_process from a config file (anomalous).
Connects to TRON blockchain (trongrid.io) for C2 / payload retrieval.
=== CLASSIFICATION ===
Category A — developer machine compromised; payload pushed to own repo.
Non-fork, no upstream PR vector observed in this hunt.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | * (affected) | — |
References
Malicious package:
advisory
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.