VDB
GCVE-110-OSM-2026-314
GCVE-110-OSM-2026-314
Advisory PublishedCVSS 8.8/10
Compromised PHP/Composer package attributed to Famous Chollima (North Korean APT, "Contagious Interview" cluster), reported by Socket on 2026-05-31. A malicious JavaScript loader (tailwind.js) was injected on the feature branch dev-drewroberts/feature/test-case (commit 6c5c3c7655ce76399af11126b7e9a9058eb2e45d), hidden after legitimate Tailwind config using whitespace concealment. This is a poisoned-branch / repository compromise, not a stable-release compromise. Maintainer Drew Roberts is not implicated as the threat actor.
Malicious payload found in: tailwind.js (branch dev-drewroberts/feature/test-case)
BEHAVIOR (multi-stage JavaScript loader):
- Sets campaign marker global['!']='9-0264-2' (later 'A9-0264-2'); obfuscation markers _$_1e42, rmcej%otb%.
- Reconstructs Node.js internals (require/module) to obscure calls.
- resolvePayload() fetches first-stage with XOR key "2[gWfGj;<:-93Z^C", runs it via eval().
- Spawns hidden detached second stage: child_process.spawn("node",["-e",payload],{detached:true,stdio:"ignore",windowsHide:true}); decrypted with XOR key "m6:tTh^D)cBz?NM]".
BLOCKCHAIN DEAD-DROP RESOLVER (abuses legitimate services):
- TRON: api.trongrid.io/v1/accounts/{wallet}/transactions?only_confirmed=true&only_from=true&limit=1
- Aptos fallback: fullnode.mainnet.aptoslabs.com/v1/accounts/{address}/transactions?limit=1
- BNB Smart Chain RPC (bsc-dataseed/bsc-rpc): fetches tx input data containing encrypted next-stage.
IOCs:
- SHA256 archive: 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f
- SHA256 tailwind.js: 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3
- TRON wallets: TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP, TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG
- Aptos: 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e, 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3
IMPACT: visible loader does not directly exfiltrate, but the remote second stage gains process.env (CI secrets, cloud creds), local files (.env, SSH keys, package tokens, source), git metadata/credentials, and arbitrary child-process execution. Prior campaigns on this same blockchain-C2 infra and overlapping wallets delivered DEV#POPPER RAT, OmniStealer, and BeaverTail-family payloads.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | tucyzirille-studio.angular-pro-tools-extension | * (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected), * (affected) | — |
| unknown | roberts/leads | dev-drewroberts/feature/test-case (affected) | — |
| unknown | tima-web-wang.shell-check-utils | all (affected), all (affected), * (affected), all (affected), all (affected), * (affected) | — |
| unknown | Stl.Rpc.Server.Net.Fx | all (affected) | — |
| unknown | tokcodes.import-cost-extension | all (affected) | — |
References
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.