VDB

GCVE-110-OSM-2026-15

GCVE-110-OSM-2026-15
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 7, 2026
This package is a full-featured credential and crypto wallet stealer. The entrypoint collect.js explicitly collects cryptocurrency wallet files across 20+ wallet types (Bitcoin, Ethereum, Electrum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, MultiBit, Atomic, Coinomi, Armory, Jaxx, Guarda, Wasabi), desktop/downloads documents including .ovpn, .key, .pem, and .env files, and git configuration — then archives and POSTs the data as application/octet-stream with the victim's hostname as a header to the hardcoded C2 at http://aab.sportsontheweb.net/x2.php. The package masquerades as a 'system info tool' but contains no legitimate system info functionality whatsoever. The Cyrillic locale strings ('Рабочий стол', 'Загрузки') indicate targeting of Russian-speaking victims as well as English-speaking ones, and the chai-max campaign signature match is consistent with DPRK/Lazarus Contagious Interview supply chain attacks. The publisher account 'epsj' published 8 packages in a single day with names designed to attract developer installs (ai-chat-helper, gpt-chat-cli, node-app-doctor, pc-optimizer), all consistent with a campaign of trojanized utility packages. ENTRY collect.js (bin: ./collect.js) LOOT - Cryptocurrency Wallet Theft in collect.js: "wallet.dat" PERSISTENCE - Startup Persistence in collect.js: ".bashrc" DESTINATION - custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js - custom-c2: aab.sportsontheweb.net (plaintext) in collect.js EXFIL - Git Configuration Access in collect.js: ".gitconfig" - System Information Collection in collect.js: "os.hostname()" ADDITIONAL FINDINGS - Shell Command Execution in collect.js: "require('child_process')" - Chai-Max Campaign Indicators in collect.js: ".wallet'" - Brand New Package - Rapid Version Publishing PAYLOAD FILES collect.js INDICATORS (IOCs) - payloadFileHash: 57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@emilgroup/process-manager-sdkall (affected), * (affected), all (affected), * (affected), all (affected), all (affected)
unknownsys-info-cli-appall (affected)
unknownjson-lucide* (affected)
unknowninterface-builder-kitall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected)

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›