VDB

GCVE-110-OSM-2026-3672

GCVE-110-OSM-2026-3672
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 6, 2026
Hijacks a trojanized copy of the big.js math library to inject a malicious require('ts-lint-builders') call into loaders/big.js that executes at import time, loading a confirmed infostealer that injects an attacker SSH key into ~/.ssh/authorized_keys, opens TCP/22 via ufw, and exfiltrates files to cloudflareinsights.vercel.app and cloudflareguard.vercel.app. The try/catch wrapper silences the injection when ts-lint-builders is absent, making the trojanized loader appear benign in isolation. **Trigger** (require-time): any code that imports rjs-biginteger loads loaders/big.js — a trojanized copy of the legitimate big.js library — which immediately executes `require('ts-lint-builders')` and calls `from_str()` inside a try/catch. **Stage 2 execution**: ts-lint-builders.from_str() runs the confirmed infostealer payload (separately submitted to OSM). **Persistence**: injects attacker-controlled SSH public key into ~/.ssh/authorized_keys; executes `sudo ufw enable` and `sudo ufw allow 22/tcp` to ensure port 22 is accessible. **Exfiltration**: stage-2 POSTs collected files to `cloudflareinsights.vercel.app/api/v1`; fetches dynamic scan patterns from `cloudflareinsights.vercel.app/api/scan-patterns` to target additional files. **Reconnaissance**: enumerates Windows logical drives via wmic. **Secondary C2**: beacons to `cloudflareguard.vercel.app`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownrjs-biginteger2.0.1 (affected)

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›