VDB
GCVE-110-OSM-2026-5928
GCVE-110-OSM-2026-5928
Advisory PublishedCVSS 9.6/10
This package masquerades as the legitimate Open Whisper Systems libsignal library but silently executes undocumented functionality on import. The entrypoint `index.js` contains a deliberately hidden call — wrapped in a swallowed try-catch — that checks for `install.js` and invokes `installNewsletterAutoFollow()` after a 1-second `setTimeout` delay, clearly designed to fire after the module appears to load cleanly. The function name and the publisher's companion package `@zynstore/baileysnew` indicate a WhatsApp/Baileys supply-chain attack where developers integrating a signal-protocol dependency unknowingly execute newsletter spam or bot-automation code. The `fs` malicious-dependency flags are almost certainly false positives (Node.js built-in), but they are irrelevant to the core finding. The obfuscation via try-catch with no logging, the absence of any documentation of this behavior, and the brand-new single-version account all confirm adversarial intent.
ENTRY
index.js (main: index.js)
OBFUSCATION
- Dynamic Base64 Decoding in src/session_record.js: "Buffer.from(k, 'base64')"
- Strings Extracted from Deobfuscated Code in src/session_record.js
ADDITIONAL FINDINGS
- Malicious Dependency Detected in package.json
PAYLOAD FILES
src/session_record.js
INDICATORS (IOCs)
- domains: KeyExchangeMessage.prototype.id
- payloadFileHash: 660681665627de50bb1de59c07619f96829fe1db84c6568c60de35e6361d9d47
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @zynstore/libsignal-node | all (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.