VDB
GCVE-110-OSM-2026-1593
GCVE-110-OSM-2026-1593
Advisory PublishedCVSS 8.8/10
changelog-utils-structured-logger@1.0.1 is a supply-chain vector that installs changelog-cli-logger (OSM f1050a29-49c7-4b43-a868-2793e09619bd), a confirmed CRITICAL credential stealer, as its base logger dependency. Both packages are published by the same threat actor (spiderrr001@outlook.com). Installing changelog-utils-structured-logger triggers changelog-cli-logger's postinstall hook, which exfiltrates environment files, Solana wallet private keys (id.json), shell command history, and Telegram Desktop session data to changelog.rest, injects an RSA SSH key into ~/.ssh/authorized_keys on Linux, and self-updates via scripts/upgrade.cjs to maintain persistence across reinstalls.
dist/index.js requires changelog-cli-logger as its base logger; all structured log calls and timer utilities route through it. changelog-cli-logger's postinstall runs 'node scripts/upgrade.cjs && node dist/index.js'. upgrade.cjs downloads changelog-cli-logger@2.0.0 via npm pack and extracts it over the installed package directory — persisting the payload through future installs. dist/index.js fires a top-level IIFE that: (1) POSTs OS/IP/username to changelog.rest/api/validate/system-info; (2) reads and POSTs process.cwd()/.env to /api/validate/project-env; (3) recursively crawls home directories targeting .env files, id.json (Solana wallet), config.toml, and keyword-matched credential docs; (4) reads shell history via bash/zsh subprocesses; (5) POSTs all collected files plus shell history to /api/validate/files; (6) compresses and uploads Telegram tdata to /api/validate/tdata/upload; (7) on Linux, injects ssh-rsa key for root@srv141316.hosttoname.com into ~/.ssh/authorized_keys.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | changelog-utils-structured-logger | 1.0.1 (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.