VDB

GCVE-110-OSM-2026-22

GCVE-110-OSM-2026-22
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 7, 2026
This is a credential-stealing / data-exfiltration package consistent with the chai-max / DPRK-Lazarus campaign. The entrypoint collect.js is directly wired to the package's bin entry and contains exhaustive cryptocurrency wallet theft logic (Bitcoin, Ethereum, Electrum, Exodus, Monero, Zcash, Litecoin, Dogecoin, Dash, Atomic, Coinomi, Armory, Jaxx, Guarda, Wasabi — across both .config and .local/share), collects Desktop and Downloads files including .ovpn, .key, .pem, .env files, reads .gitconfig, edits .bashrc for persistence, and archives/POSTs everything to a configurable server URL (defaulting to 'http://localhost/x.php' but overridable via COLLECT_SERVER_URL) with hostname in the Content header. The non-Latin Cyrillic strings for Russian-locale directory name variants ('Рабочий стол') and the browser extension LevelDB harvesting are additional chai-max campaign fingerprints. The publisher account is brand-new, published 4 versions in under an hour across 8 similarly-named utility packages, all of which warrant investigation. ENTRY collect.js (bin: ./collect.js) LOOT - Cryptocurrency Wallet Theft in collect.js: "wallet.dat" PERSISTENCE - Startup Persistence in collect.js: ".bashrc" DESTINATION - custom-c2: http://aab.sportsontheweb.net/x2.php (primary, plaintext) in collect.js - custom-c2: aab.sportsontheweb.net (plaintext) in collect.js EXFIL - Git Configuration Access in collect.js: ".gitconfig" - System Information Collection in collect.js: "os.hostname()" ADDITIONAL FINDINGS - Shell Command Execution in collect.js: "require('child_process')" - Chai-Max Campaign Indicators in collect.js: ".wallet'" - Brand New Package - Rapid Version Publishing PAYLOAD FILES collect.js INDICATORS (IOCs) - payloadFileHash: bb08ac8e3a51c97a114fc7894e6bb3cab420157ed3bede66df15511883da25d8

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownai-chat-helperall (affected)
unknown@solmasterv3/solana-metadata-sdkall (affected), all (affected), * (affected), * (affected), * (affected), * (affected)
unknowntailwind-compile* (affected)
unknownclient-hash-sdkall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected)

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›