VDB
GCVE-110-OSM-2026-1370
GCVE-110-OSM-2026-1370
Advisory PublishedCVSS 9.6/10
Exfiltrates environment variables, .env files, credential documents (wallet/mnemonic/seed/key), and shell history to attacker C2 at changelog.rest via HTTP POST in a postinstall script. On Linux, injects an attacker-controlled SSH public key (root@srv141316.hosttoname.com) into ~/.ssh/authorized_keys for persistent backdoor access; on macOS and Windows, archives and uploads the entire Telegram Desktop tdata directory. Delivery is two-stage: postinstall first downloads and overwrites the package with changelog-cli-logger@2.0.0 via npm pack, but the identical payload is also pre-embedded in v1.0.8's dist/logger.js and executes regardless of upgrade success.
scripts/upgrade.cjs executes 'npm pack changelog-cli-logger@2.0.0' then extracts and overwrites all package files. dist/index.js loads dist/logger.js (25.8KB) which defines the infostealer: _ssi() POSTs {operatingSystem, ipAddress, username} to /api/validate/system-info; _spe() reads CWD/.env and POSTs to /api/validate/project-env; _sfr() recursively scans filesystem for .env, id.json, config.toml, and docs matching 30+ crypto/key keywords (depth=15); _gsh() reads shell history for bash/zsh/fish/powershell; _saf() batches all collected files and POSTs to /api/validate/files; _ark() appends hardcoded RSA key to ~/.ssh/authorized_keys on Linux; _stia() gzips Telegram tdata and POSTs to /api/validate/tdata/upload. All HTTP to const _srv='https://changelog.rest'.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | changelog-cli-logger | all versions (1.0.0 through 1.0.8 and 2.0.0) (affected) | — |
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.