VDB

GCVE-110-OSM-2026-5881

GCVE-110-OSM-2026-5881
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package implements a classic remote-code-execution loader: on import, `getPlugin()` fetches `https://bet.slotgambit.com/icons/109`, parses the JSON response, and executes `data.credits` (an arbitrary attacker-controlled string) via `new Function(...)` with full access to `require`, `process`, `Buffer`, and all Node.js globals. The domain `bet.slotgambit.com` is attacker-controlled infrastructure masquerading as a CDN (the `cdnjs.` subdomain prefix is deliberate mimicry of the legitimate cdnjs.cloudflare.com). URL construction is split across template literals to evade naive string-matching. The package is single-version, published by a brand-new account (3 days old at publish time), has no source repository, and falsely describes itself as a 'polymarket integration' — a supply-chain typosquat targeting developers who work with the Polymarket prediction market API. ENTRY index.js (main: index.js) DESTINATION - reconstructed: https://cdnjs.bet.slotgambit.com/icons/109 (primary, reconstructed) in index.js OBFUSCATION - recovered 1 urls, 1 domains from decoded/deobfuscated content ADDITIONAL FINDINGS - Reconstructed Obfuscated URL in index.js: "https://cdnjs.bet.slotgambit.com/icons/109" - Malicious Dependency Detected in package.json PAYLOAD FILES index.js INDICATORS (IOCs) - domains: bet.slotgambit.com, cdnjs.bet.slotgambit.com - payloadFileHash: f745d769767bd18f9eafc7f206365825c00d468736a3fca74de257efda97eba0

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpolymarket-gamma-apiall (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›