VDB

GCVE-110-OSM-2026-2425

GCVE-110-OSM-2026-2425
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 15, 2026
Infostealer and SSH backdoor: postinstall hook installs attacker SSH key, exfiltrates .env files, shell history, wallet files, and Telegram tdata to ghostraper.top. **Trigger** (`postinstall`): executes `node dist/index.js` at install time. **Hook scripts**: `dist/index.js` → `dist/logger.js`. **SSH backdoor**: appends attacker public key (email: raymondcasy@gmail.com) to `~/.ssh/authorized_keys` on Linux. **Credential theft**: harvests APPDATA, HISTFILE, reads `.env`, `keystore`, shell history, and recursively searched wallet/credential files. **Telegram theft**: steals Telegram Desktop tdata on macOS and Windows. **Exfiltration**: all data JSON-serialized and sent to `ghostraper.top` via 5 endpoints under `/api/validate/`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownawesome-cli-loggerall versions (affected)

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›