VDB

GCVE-110-OSM-2026-2201

GCVE-110-OSM-2026-2201
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 13, 2026
Exfiltrates environment secrets, .env content, npm tokens, and AWS credential files to attacker-controlled host csec-supply-chain-attack-1tcq.onrender.com via HTTPS POST during postinstall. The postinstall hook runs setup.js, which decrypts an embedded JavaScript payload, enumerates sensitive environment variables and credential file contents, and sends the JSON payload to https://csec-supply-chain-attack-1tcq.onrender.com/e using Node https.request.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncsec-crypto-helpers4.2.2 (affected)

References

vendor

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›