VDB

GCVE-110-OSM-2026-2719

GCVE-110-OSM-2026-2719
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 18, 2026
This malicious NPM package is built for follower-farming / social-boost botnet, and is not a data stealer. Payload: src/session_record.js 1. index.js:14-23 — on require(), schedules install.js to run 1s later (no postinstall hook; triggered at runtime import). 2. install.js:findBaileysPath() — hunts for @whiskeysockets/baileys or @shenira/baileys in parent node_modules. 3. install.js:428 — overwrites baileys/lib/Socket/newsletter.js with attacker's version, then force-exits the host process after 20s (install.js:434-438). 4. Drops node_modules/.cache with sentinel content "Iove" to skip re-patching. C2 / Payload pull - second stage payload: https://raw.githubusercontent.com/sanndestroyer/destroyerbail/refs/heads/main/x.json (install.js:142) — a list of WhatsApp newsletter and channel IDs. - After a 120-second delay, iterates the list and calls newsletterWMexQuery(id, QueryIds.FOLLOW) every 11s (install.js:139-164). Exfiltration - No credential / file / token exfil. No outbound POST of victim data. - Impact is victim-side abuse: hijacks the victim's logged-in WhatsApp session (via Baileys) to auto-follow attacker-controlled WhatsApp newsletters, inflating subscriber counts. Targeting Only fires if @whiskeysockets/baileys or @shenira/baileys is resolvable — targets WhatsApp bot developers specifically Key findings: - Dynamic Base64 Decoding in src/session_record.js: "Buffer.from(k, 'base64')" - Brand New Package - Very New NPM Publisher Account IOCs: - payloadFileHash: 660681665627de50bb1de59c07619f96829fe1db84c6568c60de35e6361d9d47

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@sanndestroyer/libsignal-node2.2.5 (affected)

Browse GCVE Records

73,866 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›