VDB
GCVE-110-OSM-2026-1173
GCVE-110-OSM-2026-1173
Advisory PublishedCVSS 9.6/10
Exfiltrates SSH keys, AWS credentials, cryptocurrency wallet files, .env files, and environment variables containing secrets to attacker-controlled IP 69.42.222.23:5555 via HTTP POST in the postinstall script. Also injects a hardcoded attacker SSH public key into ~/.ssh/authorized_keys to establish persistent backdoor access.
postinstall.js is a heavily obfuscated infostealer. When decoded, it builds a multi-section report covering: (1) ~/.ssh/ contents with key previews, (2) env var filtering by sensitive keywords, (3) cloud credential files (AWS, GCP, Azure, Docker, Kube), (4) crypto wallets (Bitcoin wallet.dat, Ethereum keystore, Solana id.json), (5) .env files recursively found in CWD, (6) privilege escalation vectors (sudo, docker/lxd group, SUID). The report is POSTed to http://69.42.222.23:5555/report. A hardcoded attacker SSH public key is appended to ~/.ssh/authorized_keys via execSync, granting persistent SSH access.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | mexc-utils-helper | 1.0.0 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.