VDB

GCVE-110-OSM-2026-4273

GCVE-110-OSM-2026-4273
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 13, 2026
Harvests TRON and Aptos cryptocurrency wallet balances for four attacker-controlled addresses (TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP, TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG, 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e, 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3) via rapid polling of api.trongrid.io and fullnode.mainnet.aptoslabs.com executed at require-time. The payload is a multi-layer obfuscated eval chain appended after legitimate Emittery event-emitter code; deobfuscation is partial and the confirmed wallet-drain stage carries campaign token '5-Emittery' in global scope. Package is a double typosquat of emittery and styled-components published across three versions in 8 minutes with no source repository. **Trigger** (`require-time`): top-level IIFE executes immediately when the package is required — no install hook is present in package.json. **Obfuscation**: multi-layer custom cipher — a character-position swap bootstrap (_$_c266) feeds a string-array shuffle (VQu) which drives a layered eval chain (omF/lBc IIFE). The obfuscated payload is appended after the legitimate Emittery class export in index.js. **Global scope pollution**: payload sets `global['!'] = '5-Emittery'` (campaign token) and assigns `require` and `module` to global keys, exposing Node.js internals to the eval'd payload. **Collection**: polls live blockchain balance and resource endpoints for four attacker-controlled wallet addresses across two chains (TRON and Aptos) at a 9.25ms polling interval — consistent with balance monitoring prior to a drain transaction. **Exfiltration**: outbound HTTPS GET to api.trongrid.io and fullnode.mainnet.aptoslabs.com. **Note**: deobfuscation is partial; the confirmed behavior is the visible first stage of the obfuscated payload.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownemittery_styled7.9.1 (affected)

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›