VDB

GCVE-110-OSM-2026-20

GCVE-110-OSM-2026-20
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 7, 2026
This package is a full-featured infostealer masquerading as a PC cleaning utility. The entrypoint collect.js systematically harvests cryptocurrency wallet files (Bitcoin, Ethereum, Electrum, Exodus, Monero, and 20+ others), collects desktop/downloads documents including .ovpn, .pem, .key, and .env files, reads .gitconfig for developer identity, and POSTs collected data as a tar.gz archive with hostname in the X-Hostname header to a server URL (defaulting to 'http://localhost/x.php' but configurable via COLLECT_SERVER_URL env var). The code also contains Cyrillic locale support for Russian-language desktops, indicating intentional targeting of Russian-speaking victims. The publisher 'epsj' published 7 versions of this package within a single hour alongside 7 other likely-related packages (ai-chat-helper, backup-my-data, gpt-chat-cli, etc.), a hallmark of a Contagious Interview / chai-max campaign deployment burst. The chai-max-indicators signature match is confirmed by the actual code content. ENTRY collect.js (bin: ./collect.js) LOOT - Cryptocurrency Wallet Theft in collect.js: "wallet.dat" PERSISTENCE - Startup Persistence in collect.js: ".bashrc" EXFIL - Git Configuration Access in collect.js: ".gitconfig" - System Information Collection in collect.js: "os.hostname()" DESTINATION - custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js - custom-c2: aab.sportsontheweb.net (plaintext) in collect.js ADDITIONAL FINDINGS - Shell Command Execution in collect.js: "require('child_process')" - Chai-Max Campaign Indicators in collect.js: ".wallet'" - Brand New Package - Rapid Version Publishing PAYLOAD FILES collect.js INDICATORS (IOCs) - payloadFileHash: bb08ac8e3a51c97a114fc7894e6bb3cab420157ed3bede66df15511883da25d8

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownneanderthal-validatorall (affected), * (affected), all (affected), all (affected), all (affected), all (affected)
unknownffsixxall (affected)
unknownpretty-ts-loggerall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected)
unknownclean-my-pcall (affected)

References

vendor
advisory
advisory
vendor
advisory
vendor
vendor

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›