VDB
GCVE-110-OSM-2026-4804
GCVE-110-OSM-2026-4804
Advisory PublishedCVSS 8.8/10
This is a trojanized clone of the legitimate Baileys WhatsApp Web API library.
The package is brand-new (single version, single publisher package, no repository) — the classic supply chain squatting profile. While `child_process` and crypto base64 operations have plausible legitimate uses in the legitimate Baileys library, the hidden remote loader and obfuscated bitcoin address confirm adversarial modification.
Entrypoint: lib/index.js (main: lib/index.js)
Exfil: https://mmg.whatsapp.net/ (custom-c2, recovery: plaintext in lib/Utils/messages-media.js)
Payload: lib/Socket/newsletter.js
Secondary files: lib/Utils/chat-utils.js, lib/Utils/messages-media.js
The clearest adversarial signal is a base64-encoded URL in `lib/Socket/newsletter.js` that decodes to https://raw.githubusercontent.com/dlcine450/fll/refs/heads/main/fll.json` — a remote payload fetch hidden via encoding to evade source inspection `lib/Utils/generics.js` contains a hidden bitcoin address recovered only via deobfuscation, consistent with cryptocurrency address substitution or theft. `lib/Socket/messages-send.js` includes a `.profile` persistence mechanism with no legitimate purpose in a WhatsApp library.
IOCs:
- urls: https://mmg.whatsapp.net/, https://raw.githubusercontent.com/dlcine450/fll/refs/heads/main/fll.json
- emails: 16505361212@c.us, server@c.us, 0@c.us, 13135550002@c.us
- payloadFileHash: 0d62a174d8e9668bea74edad2c5b2817c78de348334dbef1707b1c831127c932
Decoded/deobfuscated IOCs:
- urls: https://raw.githubusercontent.com/dlcine450/fll/refs/heads/main/fll.json
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | xprov2baileystest | all (affected) | — |
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.