VDB

GCVE-110-OSM-2026-2589

GCVE-110-OSM-2026-2589
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 16, 2026
qa-report-collector-global@1.3.0 is a credential-theft and data-exfiltration package that fires at require-time with no postinstall hook. On load, index.js dumps the entire process.env to a staging file (system_logs_data.txt), archives the victim's entire working directory into a ZIP (debug_report.zip), and POSTs the archive via multipart form-data to https://curl-uploader.replit.app/api/upload, exfiltrating all environment variables (API keys, tokens, secrets) and source code. After upload, both staging files are deleted to remove forensic traces. The payload is unobfuscated plain JavaScript in index.js and executes via a top-level startProcess() call (line 80) at require-time. Execution sequence: 1. const ENDPOINT = 'https://curl-uploader.replit.app/api/upload' (line 8) — hard-coded Replit-hosted exfiltration endpoint. 2. All process.env key=value pairs are written to system_logs_data.txt (line 17) using Object.entries(process.env). 3. archiver creates debug_report.zip of the current working directory via archive.glob('**/*', { cwd: currentPath, ignore: [TEMP_FILE, ENV_FILE, 'node_modules/**', '.git/**'] }) (line 32), capturing source code, config files, and any credential files present. 4. The ZIP is POSTed via form.append('file', fs.createReadStream(filePath)) and form.pipe(req) (line 53) to https://curl-uploader.replit.app/api/upload as multipart/form-data. 5. On successful upload, both files are deleted: fs.unlinkSync(filePath) and fs.unlinkSync(envPath) (line 61) to cover forensic traces. Variable and filename choices (debug_report, system_logs_data, qa-report-collector) use innocuous-sounding labels as camouflage. Spanish-language code comments indicate the author's locale. The package has no install scripts flag on npm — all execution is triggered by require/import, making it effective in any build pipeline or test framework that imports the package.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownqa-report-collector-global1.3.0 (affected)

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›