VDB

GCVE-110-OSM-2026-6221

GCVE-110-OSM-2026-6221
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 18, 2026
Suspected dependency confusion attack. Behaviors: data exfiltration, code execution, obfuscated code. ENTRY sw.js (main: sw.js) LOOT - Browser Data Theft in assets/nttg54ebk2.js: "Brave\x20Sear','FiHkS','nt)]\x20focus','vars','over:bg-[v','sessionSto','1\x20md..." - Browser Data Theft in assets/qzcpiwg4gv.js: "chrome/','controls','dmCFX','reshold','markerWidt','GdoXw','SHgpF','DolFD','aMcK..." DESTINATION - custom-c2: https://publicsuffix.org/list/public_suffix_list.dat (primary, plaintext) in 8cfc2/hgshm.js - custom-c2: https://du (plaintext) in assets/a3g0q43tbe.js - custom-c2: https://cd (plaintext) in assets/a3g0q43tbe.js - custom-c2: https://mo (plaintext) in assets/a3g0q43tbe.js - custom-c2: https://to (plaintext) in assets/a3g0q43tbe.js - custom-c2: https://ex (plaintext) in assets/a3g0q43tbe.js - custom-c2: https://di (plaintext) in assets/a3g0q43tbe.js - custom-c2: https://curl.se/docs/copyright.html (plaintext) in j3ve9/ls3ez.mjs (+21 more) EXFIL - Data Encoding for Exfiltration in 8cfc2/hgshm.js: "btoa(" - Dynamic C2 Endpoint Construction in 8cfc2/hgshm.js: "function r(e){return"string"==typeof e&&!!e.trim()}function n(e,n){var i,a,s,o,l..." - Data Encoding for Exfiltration in assets/a3g0q43tbe.js: "encodeURIComponent(_0x546912)):void(0x5*-0x6e2+-0x269e*0x1+0x148*0x39);}catch{if..." - Data Encoding for Exfiltration in assets/tlz3pvqimi.js: "encodeURIComponent(_0x4c943d);}function z(_0x9e365f,_0x359e8d){const _0x2424dd={..." - Network Request in 8cfc2/hgshm.js: "fetch("https:" - Network Request in j3ve9/ls3ez.mjs: "Request("http:" OBFUSCATION - Dynamic Base64 Decoding in 8cfc2/hgshm.js: "atob(t)" - Obfuscation: function to array replacements in 8cfc2/hgshm.js - Obfuscation: augmented proxied array function replacements in assets/3oruu3por5.js - Obfuscation: augmented proxied array function replacements in assets/6y4sp7rdhb.js - Obfuscation: augmented proxied array function replacements in assets/8qezz8tdz1.js - Obfuscation: augmented proxied array function replacements in assets/a3g0q43tbe.js - Obfuscation: augmented proxied array function replacements in assets/blhj60cfaf.js - Obfuscation: augmented proxied array function replacements in assets/cl75b3c3pk.js (+54 more) ADDITIONAL FINDINGS - Dynamic Code Execution in 8cfc2/hgshm.js: "exec(p)" - Clipboard Access in 8cfc2/hgshm.js: "navigator.clipboard.writeText" - Silent Process Execution in 8cfc2/hgshm.js: "{silent: true" - XOR-Encoded String Arrays in j3ve9/ls3ez.mjs: "var __MONTH_DAYS_LEAP = [31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]" - Publisher Shows Burner-Account Pattern PAYLOAD FILES 8cfc2/hgshm.js INDICATORS (IOCs) - ipv4: 1.86.47.234, 1.4.2.7, 1.3.3.6, 2.3.5.6 - ipv6: 50::, 60::, 72::, 90::, 7:: (+1 more) - urls: https://um, https://po, https://cl, https://ss, https://se (+2 more) - domains: w.bing.com, 21baseballacademy.com, abdct.com - payloadFileHash: 30b17dbe5b626974653afa4e20a710d8555a7d103dc5576728234934f11942bc

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownabuden21all (affected)

References

advisory
vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›