VDB
GCVE-110-OSM-2026-16
GCVE-110-OSM-2026-16
Advisory PublishedCVSS 9.6/10
This package is a full-featured credential and cryptocurrency wallet stealer. The entrypoint collect.js explicitly harvests wallet files for Bitcoin, Ethereum, Electrum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, MultiBit, Atomic, Coinomi, Armory, Jaxx, Guarda, and Wasabi wallets, as well as desktop/downloads documents (.ovpn, .key, .pem, .env), .gitconfig, and .bashrc. All collected data is archived and POSTed to a hardcoded C2 endpoint at http://aab.sportsontheweb.net/x2.php with the hostname sent as the X-Hostname header. The package was published 5 times in under 2 hours under a fake 'PC optimizer' cover, consistent with chai-max/DPRK stealer campaign TTPs, and the Cyrillic localization strings ('Рабочий стол', 'Загрузки') indicate targeting of Russian-speaking victims alongside Western users.
ENTRY
collect.js (bin: ./collect.js)
LOOT
- Cryptocurrency Wallet Theft in collect.js: "wallet.dat"
PERSISTENCE
- Startup Persistence in collect.js: ".bashrc"
DESTINATION
- custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js
- custom-c2: aab.sportsontheweb.net (plaintext) in collect.js
EXFIL
- Git Configuration Access in collect.js: ".gitconfig"
- System Information Collection in collect.js: "os.hostname()"
ADDITIONAL FINDINGS
- Shell Command Execution in collect.js: "require('child_process')"
- Chai-Max Campaign Indicators in collect.js: ".wallet'"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
collect.js
INDICATORS (IOCs)
- payloadFileHash: 57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | pc-optimizer | all (affected) | — |
| unknown | @emilgroup/numbergenerator-sdk-node | all (affected), all (affected), all (affected), * (affected), all (affected), * (affected) | — |
| unknown | json-parse-genie | all (affected), all (affected), * (affected), all (affected), * (affected), all (affected), all (affected), * (affected) | — |
| unknown | omicnavigatorwebapp | * (affected) | — |
References
Malicious npm package: pc-optimizer
advisory
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.