VDB

GCVE-110-OSM-2026-3170

GCVE-110-OSM-2026-3170
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 26, 2026
Harvests cryptocurrency wallet data by querying TRON, Aptos, and Binance Smart Chain APIs with hardcoded attacker-controlled addresses and executes stage-2 Node.js payloads via child_process.spawn, using an identical malicious payload to sibling package tailwind-effect from the same DPRK-attributed publisher. index.js copies the legitimate TailwindCSS plugin source and appends a character-shuffle obfuscated IIFE after whitespace padding (sha256: 1e2b29888c522c6a34ccc3e2b3239501072a8d67f08a7fd2e441fbeb614c3809 — identical to tailwind-effect). Decoded payload (character-shuffle-sfl rule, 57 strings) executes at require-time: sets global['require'] then constructs and executes a Function from an encoded string, queries api.trongrid.io with attacker TRON wallet addresses TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG for outbound transaction history, queries fullnode.mainnet.aptoslabs.com for Aptos account transactions, calls eth_getTransactionByHash on bsc-dataseed.binance.org (fallback: bsc-rpc.publicnode.com) using BSC transaction hashes 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e and 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3, and executes the retrieved stage-2 payload via child_process.spawn('node', ['-e', ...]). Package description is identical to sibling tailwind-effect; no repository URL.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntailwind-smooth-slider1.1.3 (affected)

Browse GCVE Records

72,580 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›