VDB
GCVE-110-OSM-2026-2548
GCVE-110-OSM-2026-2548
Advisory PublishedCVSS 8.8/10
Trojanized graph library shipping a hidden obfuscated payload in dist/graph-alg.min.js (7,678 bytes, 0/41 VT detections) that fires at require-time — no install hook required. The payload generates a random Ethereum wallet per victim, registers it on an attacker-controlled Sepolia smart contract (0x7526aCdCF0B22f9B8F790CF069E5dD16CC414B0e) as a victim tracking registry, and simultaneously notifies the operator via Telegram (bot 8252027445, chat -1003661544134) and Slack (channel C0AMXGVRMDL). A stage-2 payload is then fetched via AES-GCM encrypted download URLs, written to the Chrome User Data scripts directory on Windows, Linux, and macOS, made executable, and spawned as a detached child process — consistent with a Chrome credential and session-cookie stealer. After spawning, the loader deletes all three malicious dist files and patches lib/graph.js to remove the require chain, eliminating forensic evidence. The package has 29,383 weekly downloads and three prior versions were deleted from the registry.
**Trigger (`require`):** dist/graph-alg.min.js executes immediately when the package is imported via `module.exports = e(process.argv[2] || '')`. No postinstall or preinstall hook — fires on first `require('graphbase-js')` call.
**Obfuscation:** The 7,678-byte payload is obfuscated with a non-standard scheme. VT YARA rules `Base64_Encoded_URL` and `Windows_API_Function` matched; 0/41 AV detections. Operator tokens (Telegram bot token, Slack bearer token, Alchemy RPC key, ETH private key) are base64-encoded inline.
**Victim tracking (blockchain):** Generates a fresh Ethereum wallet per victim via `ethers.js Wallet.createRandom()`. Signs and submits `addAddress(wallet)` to attacker-controlled contract `0x7526aCdCF0B22f9B8F790CF069E5dD16CC414B0e` (Sepolia chain 11155111) via Alchemy RPC (`https://eth-sepolia.g.alchemy.com/v2/NByIuL6UN4A86ZDleoQWw`), using embedded operator signing key. The contract serves as a persistent immutable victim registry on a public blockchain.
**Operator notification (Telegram):** POSTs victim wallet address to `https://api.telegram.org` via `sendMessage`, authenticated with bot token `8252027445:AAHFdBrx-C8n0jYR-x6Oow3cRKF8k558sN4`, chat ID `-1003661544134`. Called simultaneously with Slack notification.
**Operator notification (Slack):** Posts victim wallet address to Slack API via `chat.postMessage`, bearer token `xoxb-10751214461892-10744248700005-RUknBALFf8hT0FUmN1n388XM`, channel `C0AMXGVRMDL`. Parallel to Telegram.
**Stage-2 Chrome stealer delivery:** Two fallback stage-2 download URLs are stored as AES-GCM-256 blobs (PBKDF2-SHA256 key derived from `process.argv[2]` at runtime — not statically recoverable). Gate condition: payload only fetched if remote JSON field `node >= 16`. Stage-2 binary written to Chrome User Data scripts directory: Windows `%APPDATA%\Local\Google\Chrome\User Data\Scripts\SoftwareUpdates`, Linux `~/.config/google-chrome/Scripts/SoftwareUpdates`, macOS `~/Library/Application Support/Google/Chrome/Scripts/SoftwareUpdates`. Payload chmod 755, spawned detached: `spawn(process.execPath, [payloadPath], {detached: true, stdio: 'ignore', windowsHide: true}).unref()`.
**Self-destruct:** After spawning stage-2, `setTimeout(1500)` → `fs.unlinkSync` on dist/graph-alg.min.js, dist/graph-settings.min.js, dist/graphlib.base.min.js. lib/graph.js patched in-place to remove the require loader line and `initGraph()` call.
**Registry signals:** Three prior versions (2.1.5, 2.1.6, 2.2.0) deleted; only 2.2.1 remains. Signing changed to `manual` at 2.2.1. Publisher has no legitimate open-source history.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | graphbase-js | 2.2.1 (affected) | — |
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.