VDB
GCVE-110-OSM-2026-2201
GCVE-110-OSM-2026-2201
Advisory PublishedCVSS 8.8/10
Exfiltrates environment secrets, .env content, npm tokens, and AWS credential files to attacker-controlled host csec-supply-chain-attack-1tcq.onrender.com via HTTPS POST during postinstall.
The postinstall hook runs setup.js, which decrypts an embedded JavaScript payload, enumerates sensitive environment variables and credential file contents, and sends the JSON payload to https://csec-supply-chain-attack-1tcq.onrender.com/e using Node https.request.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | csec-crypto-helpers | 4.2.2 (affected) | — |
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.