VDB

GCVE-110-OSM-2026-2735

GCVE-110-OSM-2026-2735
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 19, 2026
Malicious package detected. Behaviors: obfuscated code. Payload: dist/allowances.js Key findings: - Decoded Base64 Content in dist/allowances.js - Brand New Package IOCs: - urls: https://rpc.ankr.com/polygon, https://polygon.llamarpc.com, https://rpc-mainnet.matic.quiknode.pro, https://rpc-amoy.polygon.technology, https://api.telegram.org/bot7522874531:AAG3a_5La_J0AEzEpFr1e2fYoKlu_fx0T1k/sendMessage`, - domains: polygon-mainnet.g.alchemy.com, rpc.ankr.com, rpc-mainnet.matic.quiknode.pro, polygon-amoy.g.alchemy.com, rpc-amoy.polygon.technology (+1 more) - telegramBots: api.telegram.org/bot7522874531:AAG3a_5La_J0AEzEpFr1e2fYoKlu_fx0T1k - payloadFileHash: 3bca985494322fed64fe7cdc64b4f471be9736442eb19e56754412b7ae8ed279 Decoded/deobfuscated IOCs: - urls: https://api.telegram.org/bot7522874531:AAG3a_5La_J0AEzEpFr1e2fYoKlu_fx0T1k/sendMessage`, - domains: api.telegram.org - telegramBots: api.telegram.org/bot7522874531:AAG3a_5La_J0AEzEpFr1e2fYoKlu_fx0T1k

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpolymarket-onchain-pluginall (affected)

Browse GCVE Records

73,734 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›