VDB

GCVE-110-OSM-2026-16

GCVE-110-OSM-2026-16
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 7, 2026
This package is a full-featured credential and cryptocurrency wallet stealer. The entrypoint collect.js explicitly harvests wallet files for Bitcoin, Ethereum, Electrum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, MultiBit, Atomic, Coinomi, Armory, Jaxx, Guarda, and Wasabi wallets, as well as desktop/downloads documents (.ovpn, .key, .pem, .env), .gitconfig, and .bashrc. All collected data is archived and POSTed to a hardcoded C2 endpoint at http://aab.sportsontheweb.net/x2.php with the hostname sent as the X-Hostname header. The package was published 5 times in under 2 hours under a fake 'PC optimizer' cover, consistent with chai-max/DPRK stealer campaign TTPs, and the Cyrillic localization strings ('Рабочий стол', 'Загрузки') indicate targeting of Russian-speaking victims alongside Western users. ENTRY collect.js (bin: ./collect.js) LOOT - Cryptocurrency Wallet Theft in collect.js: "wallet.dat" PERSISTENCE - Startup Persistence in collect.js: ".bashrc" DESTINATION - custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js - custom-c2: aab.sportsontheweb.net (plaintext) in collect.js EXFIL - Git Configuration Access in collect.js: ".gitconfig" - System Information Collection in collect.js: "os.hostname()" ADDITIONAL FINDINGS - Shell Command Execution in collect.js: "require('child_process')" - Chai-Max Campaign Indicators in collect.js: ".wallet'" - Brand New Package - Rapid Version Publishing PAYLOAD FILES collect.js INDICATORS (IOCs) - payloadFileHash: 57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpc-optimizerall (affected)
unknown@emilgroup/numbergenerator-sdk-nodeall (affected), all (affected), all (affected), * (affected), all (affected), * (affected)
unknownjson-parse-genieall (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), * (affected)
unknownomicnavigatorwebapp* (affected)

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›