VDB

GCVE-110-OSM-2026-17

GCVE-110-OSM-2026-17
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 7, 2026
This package is a full-featured credential and cryptocurrency wallet stealer. The entrypoint `collect.js` is registered as the package binary and immediately begins harvesting sensitive data: it enumerates crypto wallet files for Bitcoin, Ethereum, Electrum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, MultiBit, Atomic, Coinomi, Armory, Jaxx, Guarda, and WasabiWallet from the user's home directory. It also collects Desktop and Downloads files (including .ovpn, .key, .pem, .env), reads .gitconfig, and uses `os.hostname()` for fingerprinting. All collected data is archived and exfiltrated via POST to the hardcoded C2 endpoint `http://aab.sportsontheweb.net/x2.php` with the hostname sent as an `X-Hostname` header. The Cyrillic locale strings ('Рабочий стол', 'Загрузки') indicate targeting of Russian-speaking victims or authors, consistent with the chai-max/DPRK stealer campaign signature matched by the scanner. The publisher account ('epsj') has 8 packages with names suggesting a pattern of malicious tooling (backup-my-data, clean-my-pc, pc-optimizer, sys-info-cli-app), and 5 versions were published in under an hour. ENTRY collect.js (bin: ./collect.js) LOOT - Cryptocurrency Wallet Theft in collect.js: "wallet.dat" PERSISTENCE - Startup Persistence in collect.js: ".bashrc" DESTINATION - custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js - custom-c2: aab.sportsontheweb.net (plaintext) in collect.js EXFIL - Git Configuration Access in collect.js: ".gitconfig" - System Information Collection in collect.js: "os.hostname()" ADDITIONAL FINDINGS - Shell Command Execution in collect.js: "require('child_process')" - Chai-Max Campaign Indicators in collect.js: ".wallet'" - Brand New Package - Rapid Version Publishing PAYLOAD FILES collect.js INDICATORS (IOCs) - payloadFileHash: 57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownrestaking-apy-module* (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected)
unknownnode-app-doctorall (affected)
unknown@emilgroup/discount-sdk-node* (affected), all (affected), all (affected), * (affected), * (affected), * (affected)
unknownomaronsec* (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›