VDB
GCVE-110-OSM-2026-21
GCVE-110-OSM-2026-21
Advisory PublishedCVSS 9.6/10
This package is a fully implemented credential and crypto-wallet stealer matching the chai-max/DPRK campaign signature. The entrypoint collect.js systematically harvests cryptocurrency wallet files from Bitcoin, Ethereum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, Electrum, Atomic, Coinomi, Armory, Jaxx, Guarda, WalletWasabi and more; collects .gitconfig, .env, .ovpn, .pem, .key files; reads Desktop and Downloads directories (including Cyrillic locale paths suggesting Russian-speaking targets); and POSTs the collected archive via HTTP with a configurable server URL (defaulting to 'http://localhost/x.php' but clearly parameterized for attacker-controlled deployment). The POST includes an 'X-Hostname' header for victim fingerprinting and sends data as application/octet-stream. The publisher 'epsj' published 4 versions within ~1 hour of account creation across a cluster of 8 utility-themed packages (ai-chat-helper, clean-my-pc, gpt-chat-cli, pc-optimizer, etc.) that are classic Contagious Interview / supply-chain lure names. The chai-max-indicators rule fires with 10 matches on collect.js, consistent with known DPRK stealer tooling.
ENTRY
collect.js (bin: ./collect.js)
LOOT
- Cryptocurrency Wallet Theft in collect.js: "wallet.dat"
PERSISTENCE
- Startup Persistence in collect.js: ".bashrc"
DESTINATION
- custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js
- custom-c2: aab.sportsontheweb.net (plaintext) in collect.js
EXFIL
- Git Configuration Access in collect.js: ".gitconfig"
- System Information Collection in collect.js: "os.hostname()"
ADDITIONAL FINDINGS
- Shell Command Execution in collect.js: "require('child_process')"
- Chai-Max Campaign Indicators in collect.js: ".wallet'"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
collect.js
INDICATORS (IOCs)
- payloadFileHash: bb08ac8e3a51c97a114fc7894e6bb3cab420157ed3bede66df15511883da25d8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | jito-validator-sdk | all (affected), all (affected), all (affected), all (affected), all (affected), * (affected) | — |
| unknown | backup-my-data | all (affected) | — |
| unknown | @sixcore/baileys | all (affected) | — |
| unknown | clob-utils-sdks | * (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected) | — |
References
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.