VDB

GCVE-110-OSM-2026-5284

GCVE-110-OSM-2026-5284
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 4, 2026
This package is a trojanized fork of the legitimate @whiskeysockets/baileys WhatsApp library. The critical indicator is a base64-obfuscated URL in `lib/Socket/newsletter.js` that decodes to `https://turbo-cdns.vercel.app/files/turbowajids.json` — the publisher's own Vercel CDN hosting a file called 'turbowajids.json' (WhatsApp JID list). Hiding this endpoint behind base64 encoding while the rest of the codebase is plain TypeScript compilation output is a deliberate concealment technique consistent with malware, not a legitimate library. The attacker model is a supply-chain compromise: developers installing this WhatsApp client library have their WhatsApp session credentials and connection silently used to fetch and act on an attacker-controlled JID list (likely spam/scam distribution or credential harvest). Most other findings (Buffer.from base64, child_process for ffmpeg, mmg.whatsapp.net) are legitimate WhatsApp API patterns copied from the upstream library, but the hidden newsletter.js payload is not. The package is brand-new (3 days old), has no source repository, and the 'malicious-dependency' flag on axios is a scanner false positive and does not affect this verdict. Entrypoint: lib/index.js (main: lib/index.js) Exfil: https://mmg.whatsapp.net/ (custom-c2, recovery: plaintext in lib/Utils/messages-media.js) Payload: lib/Socket/newsletter.js Secondary files: lib/Utils/chat-utils.js, lib/Utils/messages-media.js Key findings: - Decoded Base64 Content in lib/Socket/newsletter.js - Dynamic Base64 Decoding in lib/Signal/Group/group_cipher.js: "Buffer.from(iv, 'base64')" - Dynamic Base64 Decoding in lib/Signal/Group/sender-key-state.js: "Buffer.from(chainKey, 'base64')" - Startup Persistence in lib/Socket/messages-send.js: ".profile" - Data Encoding for Exfiltration in lib/Socket/socket.js: "Buffer.from(creds.noiseKey.public).toString('base64')" IOCs: - urls: https://mmg.whatsapp.net/, https://turbo-cdns.vercel.app/files/turbowajids.json - domains: sock.ws, creds.me, update.me, whatsapp.net, mmg.whatsapp.net (+2 more) - emails: 16505361212@c.us, server@c.us, 0@c.us, 13135550002@c.us - bitcoinAddresses: 123456789ABCDEFGHJKLMNPQRSTVWXYZ - payloadFileHash: f17cdb31ce5ac2aeb267eb2e25ccb975f44be9acc7c9c093f8660de5b75b282d Decoded/deobfuscated IOCs: - urls: https://turbo-cdns.vercel.app/files/turbowajids.json - domains: turbo-cdns.vercel.app

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownturbo-baileysall (affected)

References

vendor

Browse GCVE Records

73,161 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›