VDB
GCVE-110-OSM-2026-2425
GCVE-110-OSM-2026-2425
Advisory PublishedCVSS 9.6/10
Infostealer and SSH backdoor: postinstall hook installs attacker SSH key, exfiltrates .env files, shell history, wallet files, and Telegram tdata to ghostraper.top.
**Trigger** (`postinstall`): executes `node dist/index.js` at install time.
**Hook scripts**: `dist/index.js` → `dist/logger.js`.
**SSH backdoor**: appends attacker public key (email: raymondcasy@gmail.com) to `~/.ssh/authorized_keys` on Linux.
**Credential theft**: harvests APPDATA, HISTFILE, reads `.env`, `keystore`, shell history, and recursively searched wallet/credential files.
**Telegram theft**: steals Telegram Desktop tdata on macOS and Windows.
**Exfiltration**: all data JSON-serialized and sent to `ghostraper.top` via 5 endpoints under `/api/validate/`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | awesome-cli-logger | all versions (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.