VDB

GCVE-110-OSM-2026-5189

GCVE-110-OSM-2026-5189
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 2, 2026
The develop branch of weDevsOfficial/wedocs-plugin was compromised by the PolinRider threat actor (attributed to DPRK / Lazarus Group). A multi-stage obfuscated JavaScript payload was appended to tailwind.config.js after the legitimate config terminator, with injected createRequire lines corrupting the import block. This is consistent with PolinRider's documented propagation mechanism: temp_auto_push.bat auto-commits to all repositories open on a compromised developer machine without the developer's knowledge. GitHub Copilot auto-detected the payload and opened PR #311 on May 7, 2026 titled "Security: remove PolinRider payload from tailwind.config.js and restore clean CommonJS config". The maintainer manually remediated on May 12, 2026 with commit "remove: obfuscated code". The repository is now clean but the infection period and any downstream exposure are unconfirmed. weDevs powers 530,000+ WordPress websites according to their own documentation. While the infection was confined to the develop branch and remediated before any release, downstream exposure of developers building from develop between the infection date and May 12, 2026 cannot be ruled out. Multi-stage obfuscated JavaScript appended after the export default terminator in tailwind.config.js. PolinRider payloads use a character permutation obfuscation scheme with hardcoded numeric seeds (2857687 outer layer, 2667686 inner function sfL) to decode strings at runtime, then use Function.prototype.constructor to dynamically build and execute the final payload. The final stage contacts TRON blockchain accounts to retrieve XOR-encrypted second-stage code. Payload is pushed below the visible area of any editor or GitHub diff view using whitespace padding. Payload confirmed via PR #311 diff. Contains PolinRider primary signature ("rmcej%otb%", seed 2857687), inner obfuscation function sfL (seed 2667686), and character permutation algorithm consistent with documented PolinRider technique. Matches signatures in OpenSourceMalware/PolinRider dossier.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownall (the develop branch was infected, not a versioned release) (affected)

References

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›