VDB

GCVE-110-OSM-2026-1255

GCVE-110-OSM-2026-1255
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 1, 2026
Exfiltrates system info, project .env files, shell history, filesystem credential documents, and Telegram Desktop session data to attacker-controlled domain changelog.rest via HTTP POST on require() and postinstall. On Linux, injects an attacker SSH public key (root@srv141316.hosttoname.com) into ~/.ssh/authorized_keys for persistent backdoor access. Identical payload in cli-pretty-logger@1.0.0 by same publisher (vichevmafaaxe@hotmail.com). dist/logger.js executes immediately on require(). Calls _ssi() to POST system info, _spe() to exfiltrate project .env, _sejf() to scan filesystem for credential files, _saf() to upload collected files, _stia() to package and upload Telegram tdata directory. On Linux _sejf() also calls _ark() which writes attacker RSA key to ~/.ssh/authorized_keys. All exfil to https://changelog.rest/api/validate/*. postinstall runs upgrade.cjs (self-update) then node dist/index.js (triggers payload).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownterminal-pretty-logger* (affected)

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›