VDB
GCVE-110-OSM-2026-3332
GCVE-110-OSM-2026-3332
Advisory PublishedCVSS 8.8/10
Executes a character-shuffle obfuscated IIFE at require-time via an IIFE appended after legitimate TailwindCSS plugin code, querying TRON, Aptos, and BSC blockchain APIs with hardcoded attacker-controlled wallet addresses. Behavior is consistent with blockchain-as-C2 beaconing or targeted reconnaissance against cryptocurrency developers. Actor infrastructure domain kowaki4759.marvetos.com present in package metadata. Publisher is a confirmed DPRK DeceptiveDevelopment actor.
**Trigger** (require-time IIFE): obfuscated IIFE in src/index.js executes immediately on `require()` of the package. **Obfuscation**: character-shuffle-sfl variant; 57 strings decoded from rotation cipher. **Execution**: `child_process.spawn('node', ['-e', <dynamically constructed payload>])` spawns a new node process. **Blockchain queries**: queries TRON (api.trongrid.io), Aptos (fullnode.mainnet.aptoslabs.com), and BSC (bsc-dataseed.binance.org, bsc-rpc.publicnode.com) APIs with hardcoded attacker-controlled TRON wallet addresses TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG and ETH/BSC tx hashes 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e and 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3. **Actor infrastructure**: package metadata author email domain kowaki4759.marvetos.com is attacker-controlled infrastructure.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | tailwindcss-fonttypo-inter | 2.3.2 (affected) | — |
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.