VDB

GCVE-110-OSM-2026-3944

GCVE-110-OSM-2026-3944
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 11, 2026
Steals cryptocurrency wallet funds across TRON, Aptos, BSC, and ETH by querying blockchain APIs against victim wallet addresses at require-time, using two hardcoded attacker-controlled TRON wallet addresses (TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG) as drain recipients. Spawns a stage-2 payload via child_process.spawn at runtime. Published by a confirmed DeceptiveDevelopment (DPRK) watchlist actor; package presents as a functional TailwindCSS animation plugin to avoid detection. **Trigger** (require-time): Two-layer obfuscated IIFE in src/index.js executes on every require() — outer eval(atob(...)) wrapper decodes to inner sfL() character-shuffle cipher. **Collection**: Blockchain API queries enumerate victim wallet transaction history across TRON (api.trongrid.io), Aptos (fullnode.mainnet.aptoslabs.com), BSC/ETH (bsc-dataseed.binance.org, bsc-rpc.publicnode.com). **Drain**: Hardcoded attacker wallets TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG are embedded as recipients. **Stage-2**: child_process.spawn('node', ['-e', <dynamically assembled JS>]) drops and executes a second-stage payload; downstream content not recovered.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntailwind-animation-effect2.6.0 (affected)

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›