VDB
GCVE-110-OSM-2026-20
GCVE-110-OSM-2026-20
Advisory PublishedCVSS 9.6/10
This package is a full-featured infostealer masquerading as a PC cleaning utility. The entrypoint collect.js systematically harvests cryptocurrency wallet files (Bitcoin, Ethereum, Electrum, Exodus, Monero, and 20+ others), collects desktop/downloads documents including .ovpn, .pem, .key, and .env files, reads .gitconfig for developer identity, and POSTs collected data as a tar.gz archive with hostname in the X-Hostname header to a server URL (defaulting to 'http://localhost/x.php' but configurable via COLLECT_SERVER_URL env var). The code also contains Cyrillic locale support for Russian-language desktops, indicating intentional targeting of Russian-speaking victims. The publisher 'epsj' published 7 versions of this package within a single hour alongside 7 other likely-related packages (ai-chat-helper, backup-my-data, gpt-chat-cli, etc.), a hallmark of a Contagious Interview / chai-max campaign deployment burst. The chai-max-indicators signature match is confirmed by the actual code content.
ENTRY
collect.js (bin: ./collect.js)
LOOT
- Cryptocurrency Wallet Theft in collect.js: "wallet.dat"
PERSISTENCE
- Startup Persistence in collect.js: ".bashrc"
EXFIL
- Git Configuration Access in collect.js: ".gitconfig"
- System Information Collection in collect.js: "os.hostname()"
DESTINATION
- custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js
- custom-c2: aab.sportsontheweb.net (plaintext) in collect.js
ADDITIONAL FINDINGS
- Shell Command Execution in collect.js: "require('child_process')"
- Chai-Max Campaign Indicators in collect.js: ".wallet'"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
collect.js
INDICATORS (IOCs)
- payloadFileHash: bb08ac8e3a51c97a114fc7894e6bb3cab420157ed3bede66df15511883da25d8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | neanderthal-validator | all (affected), * (affected), all (affected), all (affected), all (affected), all (affected) | — |
| unknown | ffsixx | all (affected) | — |
| unknown | pretty-ts-logger | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected) | — |
| unknown | clean-my-pc | all (affected) | — |
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.