VDB
GCVE-110-OSM-2026-7479
GCVE-110-OSM-2026-7479
Advisory PublishedCVSS 9.6/10
Malicious Composer/Packagist package 'sevenspan/laravel-chat' compromised in the PolinRider DPRK-linked supply-chain campaign (Socket threat research). The artifact was published with the campaign's obfuscated loader that fetches and executes a blockchain-hosted second-stage infostealer payload.
Part of the PolinRider (DPRK-linked; Contagious Interview / Famous Chollima) supply-chain campaign tracked by Socket.
Behavior: obfuscated JavaScript loader planted in the compromised artifact; retrieves an encrypted second-stage payload from blockchain RPC infrastructure (TRON, Aptos, BNB Smart Chain), decrypts it with embedded XOR keys, and executes it via eval() for remote code execution and persistence via detached processes.
Follow-on payloads: DEV#POPPER, OmniStealer, InvisibleFerret — credential theft, browser-data theft, crypto-wallet exfiltration, keylogging.
Propagation: temp_auto_push.bat rewrites git commit history and force-pushes malicious changes to spread across downstream repositories.
Code signatures: rmcej%otb% (original) / Cot%3t=shtP (new) markers; decoder functions _$_1e42 / MDy.
Malicious git commit reference(s): 50492ca52192c6cfc1d8ad25dab6f4248ab06e85, d59e43fd835166e707b76a1e99e7142c61e31a8d
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | sevenspan/laravel-chat | dev-ability-to-encrypt-body, dev-feat/doc, dev-feat/message-variables, dev-feat/php-version-upgrade, dev-imp/message-type, dev-main (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.