VDB

GCVE-110-OSM-2026-2007

GCVE-110-OSM-2026-2007
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 12, 2026
The csec-crypto-toolkit package is a malicious npm package disguising itself as a legitimate cryptographic utility library for Node.js applications. This information stealer targets Node.js development environments and CI/CD systems to harvest sensitive credentials and API tokens. The payload executes automatically during package installation via a postinstall script, collecting environment variables, configuration files, SSH keys, and system information before exfiltrating the data to a remote command-and-control server. The malware employs obfuscation techniques, and self-deletion mechanisms to evade detection and covers its tracks by manipulating package metadata files. Payload: setup.js The malicious code is triggered automatically through a postinstall script defined in package.json that executes setup.js. The setup.js file contains heavily obfuscated JavaScript using XOR encryption with a hardcoded key ("OrDeR_7077") and character substitution to hide the actual payload. The obfuscated string is reversed, base64 decoded, and XORed to reveal the malicious functionality, which is then executed using new Function(). The deobfuscated payload functions as an information stealer that systematically harvests sensitive data from the infected system. It searches up to six directory levels for .env files containing environment variables, specifically targeting high-value tokens including GitHub, NPM, AWS, and various API keys. The malware also attempts to read sensitive files from the user's home directory including SSH private keys, AWS credentials, and NPM configuration files. System reconnaissance capabilities include collecting hostname, username, platform information, Node.js version, network interfaces, and MAC addresses. All collected data is JSON-serialized and transmitted via HTTPS POST to the command-and-control server. The malware implements evasion techniques by deleting the setup.js file after execution and renaming package.md to package.json to hide evidence of tampering. IOCs - C2 Domain: csec-supply-chain-attack-1tcq.onrender.com — HTTPS exfiltration endpoint - C2 URL: https://csec-supply-chain-attack-1tcq.onrender.com/e — POST endpoint for data exfiltration - Package Name: csec-crypto-toolkit — malicious npm package - Package Version: 4.2.1 — specific version containing malware - Malicious File: setup.js — obfuscated payload executed on install - XOR Key: OrDeR_7077 — hardcoded deobfuscation key - XOR Constant: 333 — secondary XOR value for payload decryption - Author: csec-demo — package metadata author field - Execution Method: postinstall script — automatic execution trigger - Hash: 31ab78915f913490a39041509ab2139c92756b49f15e0bb3e634b236fde50b8b

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncsec-crypto-toolkit* (affected)

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›