We have completed a forensic investigation into a major B2B marketing vendor's (TrenDemon, linked to 6sense) production SDK and uncovered a systematic vulnerability that impacts thousands of customer sites. We are categorizing this as the Adversarial GTM Architecture.

The system is designed to defeat privacy audits and achieve permanent user tracking.

1. The Core Vulnerability: Remote Code Execution (RCE) Framework The vendor's primary script is not an analytics tool; it is a Remote Code Execution as a Service (RCEaaS) framework.

Mechanism: The SDK uses a proprietary constructor ($TRD\_GenericScriptComponent) to execute arbitrary code delivered from the vendor’s API via dynamic calls to eval() and innerHTML

Vector: This RCE capability is deployed as a "tripwire" that triggers at the moment of highest user engagement (e.g., video completion or form submit).

Result: The vendor can change the functionality of their clients' sites (e.g., deploying new tracking scripts, keyloggers) on the fly without updating the main script file.

2. The Persistence and Evasion Layer This architecture relies on active, high-level evasion to prevent security observation:

Permanent Tracking (The 8,000-Year Cookie): The system sets cookies with an expiration date of December 31, 9999, a clear violation of GDPR's Storage Limitation Principle and evidence of intent for permanent identity persistence.

Audit Evasion Logic: The production code contains detection logic that specifically targets the regex patterns of compliance and legal discovery tools (monitor|checker|validator|analyzer), causing the script to change its behavior when audited.

Supply Chain Risk (PollyWannaCrack): The execution engine relies on loading scripts from polyfill.io, which is a publicly known, compromised CDN.

3. The Payload (Identity Brokering) The primary function of the RCE is to facilitate identity theft:

Cross-Vendor Theft: The system actively encodes and exfiltrates authentication-grade cookies from secondary vendors, specifically the Marketo cookie (maCook), providing TrenDemon with the key to the user's entire marketing identity.

Surveillance Network: The RCE framework is used to dynamically inject and orchestrate a payload array of other surveillance tools (RB2B, LiveIntent, Apollo, etc.) into the host page.

We believe this architecture represents a structural failure in GTM security, demonstrating that the pursuit of attribution has led to the deployment of hostile, RCE-capable code designed for unobservability. We have developed and deployed patches to mitigate this threat.

We encourage security researchers and auditors to independently verify the presence of the $TRD\_GenericScriptComponent and the audit evasion logic within the vendor's production code.

https://www.deployblackout.com/investigations/6sense