VDB

GCVE-110-OSM-2026-5928

GCVE-110-OSM-2026-5928
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package masquerades as the legitimate Open Whisper Systems libsignal library but silently executes undocumented functionality on import. The entrypoint `index.js` contains a deliberately hidden call — wrapped in a swallowed try-catch — that checks for `install.js` and invokes `installNewsletterAutoFollow()` after a 1-second `setTimeout` delay, clearly designed to fire after the module appears to load cleanly. The function name and the publisher's companion package `@zynstore/baileysnew` indicate a WhatsApp/Baileys supply-chain attack where developers integrating a signal-protocol dependency unknowingly execute newsletter spam or bot-automation code. The `fs` malicious-dependency flags are almost certainly false positives (Node.js built-in), but they are irrelevant to the core finding. The obfuscation via try-catch with no logging, the absence of any documentation of this behavior, and the brand-new single-version account all confirm adversarial intent. ENTRY index.js (main: index.js) OBFUSCATION - Dynamic Base64 Decoding in src/session_record.js: "Buffer.from(k, 'base64')" - Strings Extracted from Deobfuscated Code in src/session_record.js ADDITIONAL FINDINGS - Malicious Dependency Detected in package.json PAYLOAD FILES src/session_record.js INDICATORS (IOCs) - domains: KeyExchangeMessage.prototype.id - payloadFileHash: 660681665627de50bb1de59c07619f96829fe1db84c6568c60de35e6361d9d47

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@zynstore/libsignal-nodeall (affected)

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›