VDB
GCVE-110-OSM-2026-3672
GCVE-110-OSM-2026-3672
Advisory PublishedCVSS 8.8/10
Hijacks a trojanized copy of the big.js math library to inject a malicious require('ts-lint-builders') call into loaders/big.js that executes at import time, loading a confirmed infostealer that injects an attacker SSH key into ~/.ssh/authorized_keys, opens TCP/22 via ufw, and exfiltrates files to cloudflareinsights.vercel.app and cloudflareguard.vercel.app. The try/catch wrapper silences the injection when ts-lint-builders is absent, making the trojanized loader appear benign in isolation.
**Trigger** (require-time): any code that imports rjs-biginteger loads loaders/big.js — a trojanized copy of the legitimate big.js library — which immediately executes `require('ts-lint-builders')` and calls `from_str()` inside a try/catch.
**Stage 2 execution**: ts-lint-builders.from_str() runs the confirmed infostealer payload (separately submitted to OSM).
**Persistence**: injects attacker-controlled SSH public key into ~/.ssh/authorized_keys; executes `sudo ufw enable` and `sudo ufw allow 22/tcp` to ensure port 22 is accessible.
**Exfiltration**: stage-2 POSTs collected files to `cloudflareinsights.vercel.app/api/v1`; fetches dynamic scan patterns from `cloudflareinsights.vercel.app/api/scan-patterns` to target additional files.
**Reconnaissance**: enumerates Windows logical drives via wmic.
**Secondary C2**: beacons to `cloudflareguard.vercel.app`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | rjs-biginteger | 2.0.1 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.