VDB
GCVE-110-OSM-2026-2719
GCVE-110-OSM-2026-2719
Advisory PublishedCVSS 8.8/10
This malicious NPM package is built for follower-farming / social-boost botnet, and is not a data stealer.
Payload: src/session_record.js
1. index.js:14-23 — on require(), schedules install.js to run 1s later (no postinstall hook; triggered at runtime import).
2. install.js:findBaileysPath() — hunts for @whiskeysockets/baileys or @shenira/baileys in parent node_modules.
3. install.js:428 — overwrites baileys/lib/Socket/newsletter.js with attacker's version, then force-exits the host process after 20s (install.js:434-438).
4. Drops node_modules/.cache with sentinel content "Iove" to skip re-patching.
C2 / Payload pull
- second stage payload: https://raw.githubusercontent.com/sanndestroyer/destroyerbail/refs/heads/main/x.json (install.js:142) — a list of WhatsApp newsletter and channel IDs.
- After a 120-second delay, iterates the list and calls newsletterWMexQuery(id, QueryIds.FOLLOW) every 11s (install.js:139-164).
Exfiltration
- No credential / file / token exfil. No outbound POST of victim data.
- Impact is victim-side abuse: hijacks the victim's logged-in WhatsApp session (via Baileys) to auto-follow attacker-controlled WhatsApp newsletters, inflating subscriber counts.
Targeting
Only fires if @whiskeysockets/baileys or @shenira/baileys is resolvable — targets WhatsApp bot developers specifically
Key findings:
- Dynamic Base64 Decoding in src/session_record.js: "Buffer.from(k, 'base64')"
- Brand New Package
- Very New NPM Publisher Account
IOCs:
- payloadFileHash: 660681665627de50bb1de59c07619f96829fe1db84c6568c60de35e6361d9d47
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @sanndestroyer/libsignal-node | 2.2.5 (affected) | — |
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.