VDB

GCVE-110-OSM-2026-21

GCVE-110-OSM-2026-21
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 7, 2026
This package is a fully implemented credential and crypto-wallet stealer matching the chai-max/DPRK campaign signature. The entrypoint collect.js systematically harvests cryptocurrency wallet files from Bitcoin, Ethereum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, Electrum, Atomic, Coinomi, Armory, Jaxx, Guarda, WalletWasabi and more; collects .gitconfig, .env, .ovpn, .pem, .key files; reads Desktop and Downloads directories (including Cyrillic locale paths suggesting Russian-speaking targets); and POSTs the collected archive via HTTP with a configurable server URL (defaulting to 'http://localhost/x.php' but clearly parameterized for attacker-controlled deployment). The POST includes an 'X-Hostname' header for victim fingerprinting and sends data as application/octet-stream. The publisher 'epsj' published 4 versions within ~1 hour of account creation across a cluster of 8 utility-themed packages (ai-chat-helper, clean-my-pc, gpt-chat-cli, pc-optimizer, etc.) that are classic Contagious Interview / supply-chain lure names. The chai-max-indicators rule fires with 10 matches on collect.js, consistent with known DPRK stealer tooling. ENTRY collect.js (bin: ./collect.js) LOOT - Cryptocurrency Wallet Theft in collect.js: "wallet.dat" PERSISTENCE - Startup Persistence in collect.js: ".bashrc" DESTINATION - custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js - custom-c2: aab.sportsontheweb.net (plaintext) in collect.js EXFIL - Git Configuration Access in collect.js: ".gitconfig" - System Information Collection in collect.js: "os.hostname()" ADDITIONAL FINDINGS - Shell Command Execution in collect.js: "require('child_process')" - Chai-Max Campaign Indicators in collect.js: ".wallet'" - Brand New Package - Rapid Version Publishing PAYLOAD FILES collect.js INDICATORS (IOCs) - payloadFileHash: bb08ac8e3a51c97a114fc7894e6bb3cab420157ed3bede66df15511883da25d8

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownjito-validator-sdkall (affected), all (affected), all (affected), all (affected), all (affected), * (affected)
unknownbackup-my-dataall (affected)
unknown@sixcore/baileysall (affected)
unknownclob-utils-sdks* (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected)

References

advisory
vendor
advisory
vendor
advisory
vendor
vendor

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›