VDB
GCVE-110-OSM-2026-6650
GCVE-110-OSM-2026-6650
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: code execution, obfuscated code.
ENTRY
src/index.js (main: src/index.js)
DESTINATION
- custom-c2: https://api.trongrid.io/v1/accounts/ (primary, deobfuscated) in src/index.js
- custom-c2: https://fullnode.mainnet.aptoslabs.com/v1/accounts/ (deobfuscated) in src/index.js
- custom-c2: api.trongrid.io (deobfuscated) in src/index.js
- custom-c2: fullnode.mainnet.aptoslabs.com (deobfuscated) in src/index.js
- custom-c2: bsc-dataseed.binance.org (deobfuscated) in src/index.js
- custom-c2: bsc-rpc.publicnode.com (deobfuscated) in src/index.js
OBFUSCATION
- IOCs Found in Deobfuscated Code in src/index.js
- Whitespace-Padded Hidden Payload in src/index.js: "; var"
- Obfuscation: function to array replacements in src/index.js
- Obfuscation patterns: underscoreDollarVars, splitJoinChain in src/index.js
- recovered 2 urls, 4 domains, 4 _domainCandidates from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Dynamic Code Execution in src/index.js: "eval(e)"
- Silent Process Execution in src/index.js: "windowsHide:true"
- Platform Detection with Data Collection in src/index.js: "JSON.stringify({jsonrpc:_$_d407[13],method:a,params:c,id:1});var e={hos"
- Publisher Has Other Malicious Packages
PAYLOAD FILES
src/index.js
INDICATORS (IOCs)
- urls: https://tailwindcss-animationfound.com/configurator.html, https://alpinejs.dev/plugins/intersect, https://v3.tailwindcss.com/, https://tailwindcss.com/
- domains: tailwindcss.com, alpinejs.dev, v3.tailwindcss.com
- payloadFileHash: 635a944c5a53cda8ebd97d3e66e961febc8a8bf201c69dc9c3436673e238376a
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | tailwindcss-effector | all (affected) | — |
Aliases
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.