VDB

GCVE-110-OSM-2026-6988

GCVE-110-OSM-2026-6988
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 29, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code. DESTINATION - custom-c2: https://raw.org/proof/vector-rotation-using-quaternions/ (primary, plaintext) in dist/maplibre-gl-csp-dev.js - custom-c2: http://projecteuclid.org/euclid.aoms/1177692644; (plaintext) in dist/maplibre-gl-csp-dev.js - custom-c2: http://jsperf.com/quaternion-slerp-implementations (plaintext) in dist/maplibre-gl-csp-dev.js - custom-c2: http://planning.cs.uiuc.edu/node198.html (plaintext) in dist/maplibre-gl-csp-dev.js - custom-c2: https://mathworld.wolfram.com/Plane-PlaneIntersection.html (plaintext) in dist/maplibre-gl-csp-dev.js - custom-c2: https://www.realtimerendering.com/raytracinggems/rtg/index.html (plaintext) in dist/maplibre-gl-csp-dev.js - custom-c2: https://bryceboe.com/2006/10/23/line-segment-intersection-algorithm/ (plaintext) in dist/maplibre-gl-csp-dev.js - custom-c2: https://javascriptsource.com/sanitize-an-html-string-to-reduce-the-risk-of-xss-attacks/ (plaintext) in dist/maplibre-gl-csp-dev.js (+47 more) EXFIL - Corporate Environment Targeting in dist/maplibre-gl-csp-dev.js: "tmosphere-blend': new DataConstantProperty(latest" - Corporate Environment Targeting in dist/maplibre-gl-dev.js: "tmosphere-blend': new symbol_layout.DataConstantProperty(symbol_layout.latest" - Data Encoding for Exfiltration in dist/maplibre-gl-csp-dev.js: "btoa(" - Data Encoding for Exfiltration in dist/maplibre-gl-csp-worker-dev.js: "btoa(" - Dynamic C2 Endpoint Construction in dist/maplibre-gl-csp-worker.js: "function t(t,e,r,n){return new(r||(r=Promise))(function(i,s){function o(t){try{l..." - Data Encoding for Exfiltration in dist/maplibre-gl-csp.js: "encodeURIComponent(e)}addTo(e){return this._map=e,addEventListener("hashchange",..." - Dynamic C2 Endpoint Construction in dist/maplibre-gl-csp.js: "function n(e,t,i,r){return new(i||(i=Promise))(function(n,o){function s(e){try{l..." - Data Encoding for Exfiltration in dist/maplibre-gl-dev.js: "btoa(" (+4 more) OBFUSCATION - Dynamic Base64 Decoding in dist/maplibre-gl-csp-dev.js: "atob(str)" - Dynamic Base64 Decoding in dist/maplibre-gl-csp-worker-dev.js: "atob(str)" - Obfuscation: function to array replacements in dist/maplibre-gl-csp-worker.js - Obfuscation: function to array replacements in dist/maplibre-gl-csp.js - Dynamic Base64 Decoding in dist/maplibre-gl-dev.js: "atob(str)" - Obfuscation: function to array replacements in dist/maplibre-gl.js - Dynamic Base64 Decoding in src/util/util.ts: "atob(str)" - Unicode Escape Obfuscation in dist/maplibre-gl-csp-dev.js: "\u2016\u2020\u2021\u2030\u2031\u203B\u203C\u2042\u2047" (+14 more) ADDITIONAL FINDINGS - Dynamic Code Execution in build/generate-docs.ts: "exec(htmlContent)" PAYLOAD FILES dist/maplibre-gl-csp-dev.js (+ dist/maplibre-gl-dev.js, dist/maplibre-gl.js) INDICATORS (IOCs) - ipv4: 177.1.224.138 - urls: https://maplibre.org/maplibre-gl-js/docs/API/, https://demotiles.maplibre.org/style.json, https://maplibre.org/maplibre-gl-js/docs/examples/, https://visgl.github.io/react-map-gl/docs/get-started, https://slack.openstreetmap.us/ (+12 more) - domains: maplibre.org, demotiles.maplibre.org, visgl.github.io, slack.openstreetmap.us, www.mierune.co.jp (+7 more) - emails: hidden@parameters.zoom, bar@2x.png, sprite1@2x.json, sprite1@2x.png - payloadFileHash: f37aeba4e4b8e6c4dd7bd27fd2d7180a7b47bd58e773d58816d9df6f70f946b1

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownmaplibre-gl-vue3all (affected)

References

advisory
vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›