VDB
GCVE-110-OSM-2026-6221
GCVE-110-OSM-2026-6221
Advisory PublishedCVSS 9.6/10
Suspected dependency confusion attack. Behaviors: data exfiltration, code execution, obfuscated code.
ENTRY
sw.js (main: sw.js)
LOOT
- Browser Data Theft in assets/nttg54ebk2.js: "Brave\x20Sear','FiHkS','nt)]\x20focus','vars','over:bg-[v','sessionSto','1\x20md..."
- Browser Data Theft in assets/qzcpiwg4gv.js: "chrome/','controls','dmCFX','reshold','markerWidt','GdoXw','SHgpF','DolFD','aMcK..."
DESTINATION
- custom-c2: https://publicsuffix.org/list/public_suffix_list.dat (primary, plaintext) in 8cfc2/hgshm.js
- custom-c2: https://du (plaintext) in assets/a3g0q43tbe.js
- custom-c2: https://cd (plaintext) in assets/a3g0q43tbe.js
- custom-c2: https://mo (plaintext) in assets/a3g0q43tbe.js
- custom-c2: https://to (plaintext) in assets/a3g0q43tbe.js
- custom-c2: https://ex (plaintext) in assets/a3g0q43tbe.js
- custom-c2: https://di (plaintext) in assets/a3g0q43tbe.js
- custom-c2: https://curl.se/docs/copyright.html (plaintext) in j3ve9/ls3ez.mjs
(+21 more)
EXFIL
- Data Encoding for Exfiltration in 8cfc2/hgshm.js: "btoa("
- Dynamic C2 Endpoint Construction in 8cfc2/hgshm.js: "function r(e){return"string"==typeof e&&!!e.trim()}function n(e,n){var i,a,s,o,l..."
- Data Encoding for Exfiltration in assets/a3g0q43tbe.js: "encodeURIComponent(_0x546912)):void(0x5*-0x6e2+-0x269e*0x1+0x148*0x39);}catch{if..."
- Data Encoding for Exfiltration in assets/tlz3pvqimi.js: "encodeURIComponent(_0x4c943d);}function z(_0x9e365f,_0x359e8d){const _0x2424dd={..."
- Network Request in 8cfc2/hgshm.js: "fetch("https:"
- Network Request in j3ve9/ls3ez.mjs: "Request("http:"
OBFUSCATION
- Dynamic Base64 Decoding in 8cfc2/hgshm.js: "atob(t)"
- Obfuscation: function to array replacements in 8cfc2/hgshm.js
- Obfuscation: augmented proxied array function replacements in assets/3oruu3por5.js
- Obfuscation: augmented proxied array function replacements in assets/6y4sp7rdhb.js
- Obfuscation: augmented proxied array function replacements in assets/8qezz8tdz1.js
- Obfuscation: augmented proxied array function replacements in assets/a3g0q43tbe.js
- Obfuscation: augmented proxied array function replacements in assets/blhj60cfaf.js
- Obfuscation: augmented proxied array function replacements in assets/cl75b3c3pk.js
(+54 more)
ADDITIONAL FINDINGS
- Dynamic Code Execution in 8cfc2/hgshm.js: "exec(p)"
- Clipboard Access in 8cfc2/hgshm.js: "navigator.clipboard.writeText"
- Silent Process Execution in 8cfc2/hgshm.js: "{silent: true"
- XOR-Encoded String Arrays in j3ve9/ls3ez.mjs: "var __MONTH_DAYS_LEAP = [31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]"
- Publisher Shows Burner-Account Pattern
PAYLOAD FILES
8cfc2/hgshm.js
INDICATORS (IOCs)
- ipv4: 1.86.47.234, 1.4.2.7, 1.3.3.6, 2.3.5.6
- ipv6: 50::, 60::, 72::, 90::, 7:: (+1 more)
- urls: https://um, https://po, https://cl, https://ss, https://se (+2 more)
- domains: w.bing.com, 21baseballacademy.com, abdct.com
- payloadFileHash: 30b17dbe5b626974653afa4e20a710d8555a7d103dc5576728234934f11942bc
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | abuden21 | all (affected) | — |
Aliases
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.