VDB
GCVE-110-OSM-2026-17
GCVE-110-OSM-2026-17
Advisory PublishedCVSS 9.6/10
This package is a full-featured credential and cryptocurrency wallet stealer. The entrypoint `collect.js` is registered as the package binary and immediately begins harvesting sensitive data: it enumerates crypto wallet files for Bitcoin, Ethereum, Electrum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, MultiBit, Atomic, Coinomi, Armory, Jaxx, Guarda, and WasabiWallet from the user's home directory. It also collects Desktop and Downloads files (including .ovpn, .key, .pem, .env), reads .gitconfig, and uses `os.hostname()` for fingerprinting. All collected data is archived and exfiltrated via POST to the hardcoded C2 endpoint `http://aab.sportsontheweb.net/x2.php` with the hostname sent as an `X-Hostname` header. The Cyrillic locale strings ('Рабочий стол', 'Загрузки') indicate targeting of Russian-speaking victims or authors, consistent with the chai-max/DPRK stealer campaign signature matched by the scanner. The publisher account ('epsj') has 8 packages with names suggesting a pattern of malicious tooling (backup-my-data, clean-my-pc, pc-optimizer, sys-info-cli-app), and 5 versions were published in under an hour.
ENTRY
collect.js (bin: ./collect.js)
LOOT
- Cryptocurrency Wallet Theft in collect.js: "wallet.dat"
PERSISTENCE
- Startup Persistence in collect.js: ".bashrc"
DESTINATION
- custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js
- custom-c2: aab.sportsontheweb.net (plaintext) in collect.js
EXFIL
- Git Configuration Access in collect.js: ".gitconfig"
- System Information Collection in collect.js: "os.hostname()"
ADDITIONAL FINDINGS
- Shell Command Execution in collect.js: "require('child_process')"
- Chai-Max Campaign Indicators in collect.js: ".wallet'"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
collect.js
INDICATORS (IOCs)
- payloadFileHash: 57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | restaking-apy-module | * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected) | — |
| unknown | node-app-doctor | all (affected) | — |
| unknown | @emilgroup/discount-sdk-node | * (affected), all (affected), all (affected), * (affected), * (affected), * (affected) | — |
| unknown | omaronsec | * (affected) | — |
References
Malicious npm package: omaronsec
advisory
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.