VDB
GCVE-110-OSM-2026-3170
GCVE-110-OSM-2026-3170
Advisory PublishedCVSS 8.8/10
Harvests cryptocurrency wallet data by querying TRON, Aptos, and Binance Smart Chain APIs with hardcoded attacker-controlled addresses and executes stage-2 Node.js payloads via child_process.spawn, using an identical malicious payload to sibling package tailwind-effect from the same DPRK-attributed publisher.
index.js copies the legitimate TailwindCSS plugin source and appends a character-shuffle obfuscated IIFE after whitespace padding (sha256: 1e2b29888c522c6a34ccc3e2b3239501072a8d67f08a7fd2e441fbeb614c3809 — identical to tailwind-effect). Decoded payload (character-shuffle-sfl rule, 57 strings) executes at require-time: sets global['require'] then constructs and executes a Function from an encoded string, queries api.trongrid.io with attacker TRON wallet addresses TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG for outbound transaction history, queries fullnode.mainnet.aptoslabs.com for Aptos account transactions, calls eth_getTransactionByHash on bsc-dataseed.binance.org (fallback: bsc-rpc.publicnode.com) using BSC transaction hashes 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e and 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3, and executes the retrieved stage-2 payload via child_process.spawn('node', ['-e', ...]). Package description is identical to sibling tailwind-effect; no repository URL.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | tailwind-smooth-slider | 1.1.3 (affected) | — |
Browse GCVE Records
72,580 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.