VDB

GCVE-110-OSM-2026-3335

GCVE-110-OSM-2026-3335
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 29, 2026
Drops a 3-stage AES-256-CBC encrypted payload at require-time via a controlled phantom dependency (unique-string-64) injected into a trojanized bn.js clone. The second stage performs multi-layer sandbox evasion (CI, Docker, VM, and low-resource checks) before decrypting the payload with a hardcoded static key and executing it via eval() — with the string 'eval' constructed letter-by-letter from array values to evade static detection. All three packages are controlled by the same actor across three coordinated Proton Mail accounts consistent with DPRK DeceptiveDevelopment campaign dprk-npm-2026-04. **Trigger** (require-time): ether-bn.js@1.3.1 injects `require('unique-string-64')` into the legitimate bn.js library source. **Stage 2 — sandbox evasion**: unique-string-64@1.1.1 calls node-env-detector, which checks CI environment variables, presence of /.dockerenv, /proc/1/cgroup container indicators, VM hypervisor strings, and below-threshold RAM/CPU counts; aborts payload if any match. **Stage 3 — decrypt+eval**: unique-string-64 decrypts an AES-256-CBC ciphertext (static key: sha256('256-key'), IV: e02c83ded5c06b2039f0db86aad8aa34) and executes the result via `(globalThis)['eval']` — the string 'eval' is constructed from the first characters of array values ['echo','vertex','alpha','length'] to evade static string analysis. Final stage payload and C2 destination are contained within the encrypted ciphertext and have not yet been recovered.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownether-bn.js1.3.1 (affected)

References

vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›