VDB
GCVE-110-OSM-2026-5530
GCVE-110-OSM-2026-5530
Advisory PublishedCVSS 9.6/10
This package is a trojanized clone of the popular Baileys WhatsApp Web API library. The attacker model is credential/session theft combined with persistence: `lib/Utils/rich.js` contains both `exec(code)` dynamic code execution and `.profile` shell startup modification, a clear persistence-plus-execution pairing that has no legitimate place in a WhatsApp client library. The `.profile` persistence marker appears in three separate files (`messages-send.js`, `make-in-memory-store.js`, `rich.js`), suggesting deliberate injection rather than a copy-paste artifact. The `uploadFile` function in `messages-media.js` hardcodes four anonymous file-hosting services (catbox.moe, qu.ax/upload.php, uguu.se/upload.php, tmpfiles.org) as a sequential fallback chain — this is an exfiltration staging mechanism consistent with harvesting WhatsApp session keys (which the Signal protocol code handles throughout the library) and exporting them to attacker-controlled or anonymous infrastructure. The `whitespace-padded-payload` finding in `decode-wa-message.js` is an additional payload concealment indicator. The package was created and published within hours by a brand-new single-package author, consistent with a supply-chain attack targeting developers of WhatsApp bots.
Entrypoint: engine-requirements.js (install-hook: node ./engine-requirements.js)
Exfil: https://catbox.moe/user/api.php (custom-c2, recovery: plaintext in lib/Utils/messages-media.js)
Payload: lib/Utils/rich.js
Secondary files: lib/Utils/chat-utils.js, lib/Utils/messages-media.js
Key findings:
- URL-Based Dependency in package.json: ""dependencies": {
"@adiwajshing/keyed-db": "^0.2.4",
"@cacheable/node-ca..."
- Dynamic Base64 Decoding in lib/Signal/Group/group_cipher.js: "Buffer.from(iv, 'base64')"
- Dynamic Base64 Decoding in lib/Signal/Group/sender-key-state.js: "Buffer.from(chainKey, 'base64')"
- Platform Detection with Data Collection in lib/Socket/messages-recv.js: "JSON.stringify({ ...child, content: Buffer.isBuffer(child.content) ? child.conte..."
- Shell Command Execution in lib/Socket/messages-send.js: "require('child_process')"
IOCs:
- urls: https://catbox.moe/user/api.php, https://qu.ax/upload.php, https://uguu.se/upload.php, https://tmpfiles.org/api/v1/upload, https://ezgif.com (+1 more)
- domains: sock.ws, creds.me, update.me, whatsapp.net, qu.ax (+6 more)
- emails: 16505361212@c.us, server@c.us, 0@c.us, 13135550002@c.us
- bitcoinAddresses: 123456789ABCDEFGHJKLMNPQRSTVWXYZ
- sha256Hashes: 0903aa5f7f47de66789d5f4c86d3bd6e05e4bc3ff85e454a9f907d5ed7fef97c
- payloadFileHash: 6a57d148f51c9051128af1222db467f7460b243d1238743d66ff7aa3576bbef6
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | mid-baileys | 0.7.1 (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.