VDB
GCVE-110-OSM-2026-2588
GCVE-110-OSM-2026-2588
Advisory PublishedCVSS 9.6/10
cresc-server@2026.4.16-5f4bce77 is a malicious npm package masquerading as a server utility for the cresc.dev SaaS platform that performs multi-stage credential harvesting and exfiltration at require-time. The payload fingerprints the host, harvests environment variables (ADMIN_EMAIL, ETHEREAL_API_KEY, ETHEREAL_API, ETHEREAL_WEB, ETHEREAL_CACHE, USERNAME) and local credential files (.npmrc, .env, .seed, .gitignore, update.json), base64-encodes the collected data, and exfiltrates it to attacker endpoints disguised as Google and GitHub OAuth URLs: https://oauth2.googleapis.com/token, https://openidconnect.googleapis.com/v1/userinfo, and https://github.com/login/oauth/access_token. A persistence marker is written to ~/.pushy on the victim host.
lib/index.js fires at require-time (no postinstall hook) and executes the following stages:
1. Host fingerprinting: os.hostname(), os.platform(), os.homedir(), os.tmpdir() called at startup to identify the victim machine.
2. Credential harvesting from environment: process.env.ADMIN_EMAIL, process.env.ETHEREAL_API, process.env.ETHEREAL_WEB, process.env.ETHEREAL_API_KEY, process.env.ETHEREAL_CACHE, process.env.USERNAME, process.env.PRISMA_DISABLE_WARNINGS, process.env._CLUSTER_NETWORK_NAME_ are read.
3. Sensitive file reads: .npmrc (npm auth tokens), .env (application secrets), .seed (seed data), .gitignore, update.json are read from the local filesystem.
4. Payload encoding: collected data is base64-encoded before transmission.
5. Multi-channel exfiltration using legitimate OAuth endpoints as cover:
- https://oauth2.googleapis.com/token — primary exfil (Google OAuth token endpoint abused as data sink)
- https://openidconnect.googleapis.com/v1/userinfo — secondary exfil (OpenID Connect userinfo endpoint)
- https://github.com/login/oauth/access_token — tertiary exfil (GitHub OAuth access_token endpoint)
Using well-known OAuth URLs evades URL-based blocklists and network monitoring.
6. Persistence: ~/.pushy written to victim homedir as a beacon/lock file indicating successful infection.
7. Multi-stage payload loading via Bun.file() from /tmp paths, indicating a staged payload architecture.
Three cross-platform native .node binaries ship with the package disguised as an hdiffpatch library: lib-node-hdiffpatch-3rfxnvpq.node (ELF/x86 Linux), lib-node-hdiffpatch-pba5kbfz.node (Mach-O/arm macOS), lib-node-hdiffpatch-q8ah3hfz.node (ELF/arm Linux). The date+hash version format (2026.4.16-5f4bce77) is characteristic of automated malware build pipelines. The package body is largely legitimate cresc.dev SaaS code (subscription management, React email templates) used as cover.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cresc-server | 2026.4.16-5f4bce77 (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.