VDB

GCVE-110-OSM-2026-3159

GCVE-110-OSM-2026-3159
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 26, 2026
Executes attacker-controlled obfuscated payloads at require-time via a staged two-package delivery chain: streamlyx@1.0.2 loads byteutilsbox@1.0.2, an attacker-controlled dependency staged 28 minutes earlier containing a 346KB obfuscated payload that executes when imported. streamlyx@1.0.2 is a trojanized copy of the legitimate kikobeats/debug package published by DPRK-attributed account brycemillerdev (brycemillertech@outlook.com). The sole change from v1.0.1 to v1.0.2 is bumping the attacker-controlled dependency byteutilsbox from ^1.0.1 to ^1.0.2. byteutilsbox@1.0.2 (sha256(common.js): 3bb2885e8276fc9e7a76a6fa0c4268ae09c3d1f50be5a0da384c5258fc8d0119) was staged 28 minutes before streamlyx@1.0.2 and contains a 346KB obfuscated payload using a custom multi-argument arithmetic string obfuscation family (Q/nW/g/y/q lookup functions with numeric offsets) distinct from standard obfuscator.io variants. The payload executes at require-time (has_require_time_execution confirmed by sandbox). streamlyx/src/index.js (sha256: dfebff5a6585363f897e527e269595fcf845f060818cf29e7b2c410a13ba94f4) also contains RC4+base64 obfuscation. Exact C2 endpoint not recovered due to unresolved obfuscation. The publisher email brycemillertech@outlook.com rotated from the legitimate author email josefrancisco.verdu@gmail.com (Kiko Beats) between v1.0.1 and v1.0.2, indicating account compromise or deliberate impersonation.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstreamlyx1.0.2 (affected)

References

vendor

Browse GCVE Records

72,148 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›