VDB
GCVE-110-OSM-2026-15
GCVE-110-OSM-2026-15
Advisory PublishedCVSS 9.6/10
This package is a full-featured credential and crypto wallet stealer. The entrypoint collect.js explicitly collects cryptocurrency wallet files across 20+ wallet types (Bitcoin, Ethereum, Electrum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, MultiBit, Atomic, Coinomi, Armory, Jaxx, Guarda, Wasabi), desktop/downloads documents including .ovpn, .key, .pem, and .env files, and git configuration — then archives and POSTs the data as application/octet-stream with the victim's hostname as a header to the hardcoded C2 at http://aab.sportsontheweb.net/x2.php. The package masquerades as a 'system info tool' but contains no legitimate system info functionality whatsoever. The Cyrillic locale strings ('Рабочий стол', 'Загрузки') indicate targeting of Russian-speaking victims as well as English-speaking ones, and the chai-max campaign signature match is consistent with DPRK/Lazarus Contagious Interview supply chain attacks. The publisher account 'epsj' published 8 packages in a single day with names designed to attract developer installs (ai-chat-helper, gpt-chat-cli, node-app-doctor, pc-optimizer), all consistent with a campaign of trojanized utility packages.
ENTRY
collect.js (bin: ./collect.js)
LOOT
- Cryptocurrency Wallet Theft in collect.js: "wallet.dat"
PERSISTENCE
- Startup Persistence in collect.js: ".bashrc"
DESTINATION
- custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js
- custom-c2: aab.sportsontheweb.net (plaintext) in collect.js
EXFIL
- Git Configuration Access in collect.js: ".gitconfig"
- System Information Collection in collect.js: "os.hostname()"
ADDITIONAL FINDINGS
- Shell Command Execution in collect.js: "require('child_process')"
- Chai-Max Campaign Indicators in collect.js: ".wallet'"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
collect.js
INDICATORS (IOCs)
- payloadFileHash: 57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @emilgroup/process-manager-sdk | all (affected), * (affected), all (affected), * (affected), all (affected), all (affected) | — |
| unknown | sys-info-cli-app | all (affected) | — |
| unknown | json-lucide | * (affected) | — |
| unknown | interface-builder-kit | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected) | — |
References
Malicious npm package: json-lucide
advisory
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.