VDB

GCVE-110-OSM-2026-1370

GCVE-110-OSM-2026-1370
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published March 26, 2026
Exfiltrates environment variables, .env files, credential documents (wallet/mnemonic/seed/key), and shell history to attacker C2 at changelog.rest via HTTP POST in a postinstall script. On Linux, injects an attacker-controlled SSH public key (root@srv141316.hosttoname.com) into ~/.ssh/authorized_keys for persistent backdoor access; on macOS and Windows, archives and uploads the entire Telegram Desktop tdata directory. Delivery is two-stage: postinstall first downloads and overwrites the package with changelog-cli-logger@2.0.0 via npm pack, but the identical payload is also pre-embedded in v1.0.8's dist/logger.js and executes regardless of upgrade success. scripts/upgrade.cjs executes 'npm pack changelog-cli-logger@2.0.0' then extracts and overwrites all package files. dist/index.js loads dist/logger.js (25.8KB) which defines the infostealer: _ssi() POSTs {operatingSystem, ipAddress, username} to /api/validate/system-info; _spe() reads CWD/.env and POSTs to /api/validate/project-env; _sfr() recursively scans filesystem for .env, id.json, config.toml, and docs matching 30+ crypto/key keywords (depth=15); _gsh() reads shell history for bash/zsh/fish/powershell; _saf() batches all collected files and POSTs to /api/validate/files; _ark() appends hardcoded RSA key to ~/.ssh/authorized_keys on Linux; _stia() gzips Telegram tdata and POSTs to /api/validate/tdata/upload. All HTTP to const _srv='https://changelog.rest'.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchangelog-cli-loggerall versions (1.0.0 through 1.0.8 and 2.0.0) (affected)

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›