VDB
GCVE-110-OSM-2026-3335
GCVE-110-OSM-2026-3335
Advisory PublishedCVSS 9.6/10
Drops a 3-stage AES-256-CBC encrypted payload at require-time via a controlled phantom dependency (unique-string-64) injected into a trojanized bn.js clone. The second stage performs multi-layer sandbox evasion (CI, Docker, VM, and low-resource checks) before decrypting the payload with a hardcoded static key and executing it via eval() — with the string 'eval' constructed letter-by-letter from array values to evade static detection. All three packages are controlled by the same actor across three coordinated Proton Mail accounts consistent with DPRK DeceptiveDevelopment campaign dprk-npm-2026-04.
**Trigger** (require-time): ether-bn.js@1.3.1 injects `require('unique-string-64')` into the legitimate bn.js library source. **Stage 2 — sandbox evasion**: unique-string-64@1.1.1 calls node-env-detector, which checks CI environment variables, presence of /.dockerenv, /proc/1/cgroup container indicators, VM hypervisor strings, and below-threshold RAM/CPU counts; aborts payload if any match. **Stage 3 — decrypt+eval**: unique-string-64 decrypts an AES-256-CBC ciphertext (static key: sha256('256-key'), IV: e02c83ded5c06b2039f0db86aad8aa34) and executes the result via `(globalThis)['eval']` — the string 'eval' is constructed from the first characters of array values ['echo','vertex','alpha','length'] to evade static string analysis. Final stage payload and C2 destination are contained within the encrypted ciphertext and have not yet been recovered.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ether-bn.js | 1.3.1 (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.