VDB
GCVE-110-OSM-2026-22
GCVE-110-OSM-2026-22
Advisory PublishedCVSS 9.6/10
This is a credential-stealing / data-exfiltration package consistent with the chai-max / DPRK-Lazarus campaign. The entrypoint collect.js is directly wired to the package's bin entry and contains exhaustive cryptocurrency wallet theft logic (Bitcoin, Ethereum, Electrum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, Atomic, Coinomi, Armory, Jaxx, Guarda, Wasabi — across both .config and .local/share), collects Desktop and Downloads files including .ovpn, .key, .pem, .env files, reads .gitconfig, edits .bashrc for persistence, and archives/POSTs everything to a configurable server URL (defaulting to 'http://localhost/x.php' but overridable via COLLECT_SERVER_URL) with hostname in the Content header. The non-Latin Cyrillic strings for Russian-locale directory name variants ('Рабочий стол') and the browser extension LevelDB harvesting are additional chai-max campaign fingerprints. The publisher account is brand-new, published 4 versions in under an hour across 8 similarly-named utility packages, all of which warrant investigation.
ENTRY
collect.js (bin: ./collect.js)
LOOT
- Cryptocurrency Wallet Theft in collect.js: "wallet.dat"
PERSISTENCE
- Startup Persistence in collect.js: ".bashrc"
DESTINATION
- custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js
- custom-c2: aab.sportsontheweb.net (plaintext) in collect.js
EXFIL
- Git Configuration Access in collect.js: ".gitconfig"
- System Information Collection in collect.js: "os.hostname()"
ADDITIONAL FINDINGS
- Shell Command Execution in collect.js: "require('child_process')"
- Chai-Max Campaign Indicators in collect.js: ".wallet'"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
collect.js
INDICATORS (IOCs)
- payloadFileHash: bb08ac8e3a51c97a114fc7894e6bb3cab420157ed3bede66df15511883da25d8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ai-chat-helper | all (affected) | — |
| unknown | @solmasterv3/solana-metadata-sdk | all (affected), all (affected), * (affected), * (affected), * (affected), * (affected) | — |
| unknown | tailwind-compile | * (affected) | — |
| unknown | client-hash-sdk | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected) | — |
References
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.