VDB
GCVE-110-OSM-2026-4273
GCVE-110-OSM-2026-4273
Advisory PublishedCVSS 8.8/10
Harvests TRON and Aptos cryptocurrency wallet balances for four attacker-controlled addresses (TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP, TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG, 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e, 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3) via rapid polling of api.trongrid.io and fullnode.mainnet.aptoslabs.com executed at require-time. The payload is a multi-layer obfuscated eval chain appended after legitimate Emittery event-emitter code; deobfuscation is partial and the confirmed wallet-drain stage carries campaign token '5-Emittery' in global scope. Package is a double typosquat of emittery and styled-components published across three versions in 8 minutes with no source repository.
**Trigger** (`require-time`): top-level IIFE executes immediately when the package is required — no install hook is present in package.json.
**Obfuscation**: multi-layer custom cipher — a character-position swap bootstrap (_$_c266) feeds a string-array shuffle (VQu) which drives a layered eval chain (omF/lBc IIFE). The obfuscated payload is appended after the legitimate Emittery class export in index.js.
**Global scope pollution**: payload sets `global['!'] = '5-Emittery'` (campaign token) and assigns `require` and `module` to global keys, exposing Node.js internals to the eval'd payload.
**Collection**: polls live blockchain balance and resource endpoints for four attacker-controlled wallet addresses across two chains (TRON and Aptos) at a 9.25ms polling interval — consistent with balance monitoring prior to a drain transaction.
**Exfiltration**: outbound HTTPS GET to api.trongrid.io and fullnode.mainnet.aptoslabs.com.
**Note**: deobfuscation is partial; the confirmed behavior is the visible first stage of the obfuscated payload.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | emittery_styled | 7.9.1 (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.