VDB
GCVE-110-OSM-2026-3944
GCVE-110-OSM-2026-3944
Advisory PublishedCVSS 9.6/10
Steals cryptocurrency wallet funds across TRON, Aptos, BSC, and ETH by querying blockchain APIs against victim wallet addresses at require-time, using two hardcoded attacker-controlled TRON wallet addresses (TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG) as drain recipients. Spawns a stage-2 payload via child_process.spawn at runtime. Published by a confirmed DeceptiveDevelopment (DPRK) watchlist actor; package presents as a functional TailwindCSS animation plugin to avoid detection.
**Trigger** (require-time): Two-layer obfuscated IIFE in src/index.js executes on every require() — outer eval(atob(...)) wrapper decodes to inner sfL() character-shuffle cipher.
**Collection**: Blockchain API queries enumerate victim wallet transaction history across TRON (api.trongrid.io), Aptos (fullnode.mainnet.aptoslabs.com), BSC/ETH (bsc-dataseed.binance.org, bsc-rpc.publicnode.com).
**Drain**: Hardcoded attacker wallets TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG are embedded as recipients.
**Stage-2**: child_process.spawn('node', ['-e', <dynamically assembled JS>]) drops and executes a second-stage payload; downstream content not recovered.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | tailwind-animation-effect | 2.6.0 (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.