VDB

GCVE-110-OSM-2026-6674

GCVE-110-OSM-2026-6674
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 25, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code, install-time execution. ENTRY engine-requirements.js (install-hook: node ./engine-requirements.js) - Install Hook Executes Local JS File in package.json PERSISTENCE - Startup Persistence in lib/Store/make-in-memory-store.js: ".profile" DESTINATION - custom-c2: https://pastebin.com/raw/wh34RDBe (primary, decoded) in lib/Utils/generics.js - custom-c2: https://api.github.com/repos/xyroorynzz/Alice/contents/Alicev2.json (decoded) in lib/Utils/generics.js - custom-c2: pastebin.com (decoded) in lib/Utils/generics.js - custom-c2: update.me (plaintext) in lib/Socket/socket.js - custom-c2: mmg.whatsapp.net (plaintext) in lib/Utils/messages-media.js - bitcoinAddresses: 123456789ABCDEFGHJKLMNPQRSTVWXYZ (exfil, plaintext) EXFIL - Data Encoding for Exfiltration in lib/Socket/socket.js: "Buffer.from(creds.noiseKey.public).toString('base64')" - Data Encoding for Exfiltration in lib/Socket/socket.js.bak: "Buffer.from(creds.noiseKey.public).toString('base64')" - Data Encoding for Exfiltration in lib/Utils/chat-utils.js: "Buffer.from(indexMac).toString('base64')" - Data Encoding for Exfiltration in lib/Utils/messages-media.js: "Buffer.from(media.fileSha256).toString('base64')" - Data Encoding for Exfiltration in lib/Utils/process-message.js: "Buffer.from(keyId.keyId).toString('base64')" - Network Request in lib/Utils/generics.js: "axios.get(" - Network Request in lib/Utils/messages-media.js: "axios.get(" OBFUSCATION - Decoded Base64 Content in lib/Utils/generics.js (x2) - Decoded Base64 Content in [deobfuscated] lib/Utils/generics.js (x2) - IOCs Found in Deobfuscated Code in lib/Utils/generics.js - Dynamic Base64 Decoding in lib/Signal/Group/group_cipher.js: "Buffer.from(iv, 'base64')" - Dynamic Base64 Decoding in lib/Signal/Group/sender-key-state.js: "Buffer.from(chainKey, 'base64')" - Dynamic Base64 Decoding in lib/Utils/chat-utils.js: "Buffer.from(keyId, 'base64')" - Dynamic Base64 Decoding in lib/Utils/generics.js: "Buffer.from(val, 'base64')" - Dynamic Base64 Decoding in lib/Utils/validate-connection.js: "Buffer.from(advSecretKey, 'base64')" (+6 more) ADDITIONAL FINDINGS - Platform Detection with Data Collection in lib/Socket/messages-recv.js: "JSON.stringify({ ...child, content: Buffer.isBuffer(child.content) ? child.conte..." - Shell Command Execution in lib/Utils/messages-media.js: "require("child_process")" - Publisher Has Other Malicious Packages PAYLOAD FILES lib/Utils/generics.js (+ [deobfuscated] lib/Utils/generics.js) INDICATORS (IOCs) - ipv4: 2.25.23.24 - domains: sock.ws, whatsapp.net, wa.me, creds.me, media-gru2-2.cdn.whatsapp.net (+22 more) - emails: 0@whatsapp.net, 16505361212@c.us, server@c.us, 0@c.us - payloadFileHash: 30f73249fffa96ea6e47154dd6b29905bab6aec14c8a1606a23e10e23ed2510c

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownalice-baileys2.0.10 (affected)

References

vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›