VDB

GCVE-110-OSM-2026-2548

GCVE-110-OSM-2026-2548
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 16, 2026
Trojanized graph library shipping a hidden obfuscated payload in dist/graph-alg.min.js (7,678 bytes, 0/41 VT detections) that fires at require-time — no install hook required. The payload generates a random Ethereum wallet per victim, registers it on an attacker-controlled Sepolia smart contract (0x7526aCdCF0B22f9B8F790CF069E5dD16CC414B0e) as a victim tracking registry, and simultaneously notifies the operator via Telegram (bot 8252027445, chat -1003661544134) and Slack (channel C0AMXGVRMDL). A stage-2 payload is then fetched via AES-GCM encrypted download URLs, written to the Chrome User Data scripts directory on Windows, Linux, and macOS, made executable, and spawned as a detached child process — consistent with a Chrome credential and session-cookie stealer. After spawning, the loader deletes all three malicious dist files and patches lib/graph.js to remove the require chain, eliminating forensic evidence. The package has 29,383 weekly downloads and three prior versions were deleted from the registry. **Trigger (`require`):** dist/graph-alg.min.js executes immediately when the package is imported via `module.exports = e(process.argv[2] || '')`. No postinstall or preinstall hook — fires on first `require('graphbase-js')` call. **Obfuscation:** The 7,678-byte payload is obfuscated with a non-standard scheme. VT YARA rules `Base64_Encoded_URL` and `Windows_API_Function` matched; 0/41 AV detections. Operator tokens (Telegram bot token, Slack bearer token, Alchemy RPC key, ETH private key) are base64-encoded inline. **Victim tracking (blockchain):** Generates a fresh Ethereum wallet per victim via `ethers.js Wallet.createRandom()`. Signs and submits `addAddress(wallet)` to attacker-controlled contract `0x7526aCdCF0B22f9B8F790CF069E5dD16CC414B0e` (Sepolia chain 11155111) via Alchemy RPC (`https://eth-sepolia.g.alchemy.com/v2/NByIuL6UN4A86ZDleoQWw`), using embedded operator signing key. The contract serves as a persistent immutable victim registry on a public blockchain. **Operator notification (Telegram):** POSTs victim wallet address to `https://api.telegram.org` via `sendMessage`, authenticated with bot token `8252027445:AAHFdBrx-C8n0jYR-x6Oow3cRKF8k558sN4`, chat ID `-1003661544134`. Called simultaneously with Slack notification. **Operator notification (Slack):** Posts victim wallet address to Slack API via `chat.postMessage`, bearer token `xoxb-10751214461892-10744248700005-RUknBALFf8hT0FUmN1n388XM`, channel `C0AMXGVRMDL`. Parallel to Telegram. **Stage-2 Chrome stealer delivery:** Two fallback stage-2 download URLs are stored as AES-GCM-256 blobs (PBKDF2-SHA256 key derived from `process.argv[2]` at runtime — not statically recoverable). Gate condition: payload only fetched if remote JSON field `node >= 16`. Stage-2 binary written to Chrome User Data scripts directory: Windows `%APPDATA%\Local\Google\Chrome\User Data\Scripts\SoftwareUpdates`, Linux `~/.config/google-chrome/Scripts/SoftwareUpdates`, macOS `~/Library/Application Support/Google/Chrome/Scripts/SoftwareUpdates`. Payload chmod 755, spawned detached: `spawn(process.execPath, [payloadPath], {detached: true, stdio: 'ignore', windowsHide: true}).unref()`. **Self-destruct:** After spawning stage-2, `setTimeout(1500)` → `fs.unlinkSync` on dist/graph-alg.min.js, dist/graph-settings.min.js, dist/graphlib.base.min.js. lib/graph.js patched in-place to remove the require loader line and `initGraph()` call. **Registry signals:** Three prior versions (2.1.5, 2.1.6, 2.2.0) deleted; only 2.2.1 remains. Signing changed to `manual` at 2.2.1. Publisher has no legitimate open-source history.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowngraphbase-js2.2.1 (affected)

References

vendor

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›