VDB

GCVE-110-OSM-2026-4804

GCVE-110-OSM-2026-4804
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 26, 2026
This is a trojanized clone of the legitimate Baileys WhatsApp Web API library. The package is brand-new (single version, single publisher package, no repository) — the classic supply chain squatting profile. While `child_process` and crypto base64 operations have plausible legitimate uses in the legitimate Baileys library, the hidden remote loader and obfuscated bitcoin address confirm adversarial modification. Entrypoint: lib/index.js (main: lib/index.js) Exfil: https://mmg.whatsapp.net/ (custom-c2, recovery: plaintext in lib/Utils/messages-media.js) Payload: lib/Socket/newsletter.js Secondary files: lib/Utils/chat-utils.js, lib/Utils/messages-media.js The clearest adversarial signal is a base64-encoded URL in `lib/Socket/newsletter.js` that decodes to https://raw.githubusercontent.com/dlcine450/fll/refs/heads/main/fll.json` — a remote payload fetch hidden via encoding to evade source inspection `lib/Utils/generics.js` contains a hidden bitcoin address recovered only via deobfuscation, consistent with cryptocurrency address substitution or theft. `lib/Socket/messages-send.js` includes a `.profile` persistence mechanism with no legitimate purpose in a WhatsApp library. IOCs: - urls: https://mmg.whatsapp.net/, https://raw.githubusercontent.com/dlcine450/fll/refs/heads/main/fll.json - emails: 16505361212@c.us, server@c.us, 0@c.us, 13135550002@c.us - payloadFileHash: 0d62a174d8e9668bea74edad2c5b2817c78de348334dbef1707b1c831127c932 Decoded/deobfuscated IOCs: - urls: https://raw.githubusercontent.com/dlcine450/fll/refs/heads/main/fll.json

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownxprov2baileystestall (affected)

References

vendor

Browse GCVE Records

73,161 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›