VDB
GCVE-110-OSM-2026-5189
GCVE-110-OSM-2026-5189
Advisory PublishedCVSS 8.8/10
The develop branch of weDevsOfficial/wedocs-plugin was compromised by the
PolinRider threat actor (attributed to DPRK / Lazarus Group). A multi-stage
obfuscated JavaScript payload was appended to tailwind.config.js after the
legitimate config terminator, with injected createRequire lines corrupting
the import block. This is consistent with PolinRider's documented propagation
mechanism: temp_auto_push.bat auto-commits to all repositories open on a
compromised developer machine without the developer's knowledge.
GitHub Copilot auto-detected the payload and opened PR #311 on May 7, 2026
titled "Security: remove PolinRider payload from tailwind.config.js and
restore clean CommonJS config". The maintainer manually remediated on
May 12, 2026 with commit "remove: obfuscated code". The repository is now
clean but the infection period and any downstream exposure are unconfirmed.
weDevs powers 530,000+ WordPress websites according to their own documentation.
While the infection was confined to the develop branch and remediated before
any release, downstream exposure of developers building from develop between
the infection date and May 12, 2026 cannot be ruled out.
Multi-stage obfuscated JavaScript appended after the export default
terminator in tailwind.config.js. PolinRider payloads use a character
permutation obfuscation scheme with hardcoded numeric seeds (2857687 outer
layer, 2667686 inner function sfL) to decode strings at runtime, then use
Function.prototype.constructor to dynamically build and execute the final
payload. The final stage contacts TRON blockchain accounts to retrieve
XOR-encrypted second-stage code. Payload is pushed below the visible area
of any editor or GitHub diff view using whitespace padding.
Payload confirmed via PR #311 diff. Contains PolinRider primary signature
("rmcej%otb%", seed 2857687), inner obfuscation function sfL (seed 2667686),
and character permutation algorithm consistent with documented PolinRider
technique. Matches signatures in OpenSourceMalware/PolinRider dossier.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (the develop branch was infected, not a versioned release) (affected) | — |
References
Malicious package:
advisory
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.