VDB

GCVE-110-OSM-2026-7471

GCVE-110-OSM-2026-7471
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 30, 2026
Malicious Composer/Packagist package 'arsl/optima-class' compromised in the PolinRider DPRK-linked supply-chain campaign (Socket threat research). The artifact was published with the campaign's obfuscated loader that fetches and executes a blockchain-hosted second-stage infostealer payload. Part of the PolinRider (DPRK-linked; Contagious Interview / Famous Chollima) supply-chain campaign tracked by Socket. Behavior: obfuscated JavaScript loader planted in the compromised artifact; retrieves an encrypted second-stage payload from blockchain RPC infrastructure (TRON, Aptos, BNB Smart Chain), decrypts it with embedded XOR keys, and executes it via eval() for remote code execution and persistence via detached processes. Follow-on payloads: DEV#POPPER, OmniStealer, InvisibleFerret — credential theft, browser-data theft, crypto-wallet exfiltration, keylogging. Propagation: temp_auto_push.bat rewrites git commit history and force-pushes malicious changes to spread across downstream repositories. Code signatures: rmcej%otb% (original) / Cot%3t=shtP (new) markers; decoder functions _$_1e42 / MDy. Malicious git commit reference(s): a85eef52f83cd4f62eb5163253f183ffec7ff8de

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownarsl/optima-classdev-auction-added (affected)

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›