VDB

GCVE-110-OSM-2026-5103

GCVE-110-OSM-2026-5103
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 31, 2026
Compromised PHP/Composer package attributed to Famous Chollima (North Korean APT, "Contagious Interview" cluster), reported by Socket on 2026-05-31. A malicious JavaScript loader (tailwind.js) was injected on the feature branch dev-drewroberts/feature/test-case (commit 6c5c3c7655ce76399af11126b7e9a9058eb2e45d), hidden after legitimate Tailwind config using whitespace concealment. This is a poisoned-branch / repository compromise, not a stable-release compromise. Maintainer Drew Roberts is not implicated as the threat actor. Malicious payload found in: tailwind.js (branch dev-drewroberts/feature/test-case) BEHAVIOR (multi-stage JavaScript loader): - Sets campaign marker global['!']='9-0264-2' (later 'A9-0264-2'); obfuscation markers _$_1e42, rmcej%otb%. - Reconstructs Node.js internals (require/module) to obscure calls. - resolvePayload() fetches first-stage with XOR key "2[gWfGj;<:-93Z^C", runs it via eval(). - Spawns hidden detached second stage: child_process.spawn("node",["-e",payload],{detached:true,stdio:"ignore",windowsHide:true}); decrypted with XOR key "m6:tTh^D)cBz?NM]". BLOCKCHAIN DEAD-DROP RESOLVER (abuses legitimate services): - TRON: api.trongrid.io/v1/accounts/{wallet}/transactions?only_confirmed=true&only_from=true&limit=1 - Aptos fallback: fullnode.mainnet.aptoslabs.com/v1/accounts/{address}/transactions?limit=1 - BNB Smart Chain RPC (bsc-dataseed/bsc-rpc): fetches tx input data containing encrypted next-stage. IOCs: - SHA256 archive: 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f - SHA256 tailwind.js: 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3 - TRON wallets: TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP, TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG - Aptos: 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e, 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3 IMPACT: visible loader does not directly exfiltrate, but the remote second stage gains process.env (CI secrets, cloud creds), local files (.env, SSH keys, package tokens, source), git metadata/credentials, and arbitrary child-process execution. Prior campaigns on this same blockchain-C2 infra and overlapping wallets delivered DEV#POPPER RAT, OmniStealer, and BeaverTail-family payloads.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (affected)

References

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›