VDB

GCVE-110-OSM-2026-2597

GCVE-110-OSM-2026-2597
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 16, 2026
Exfiltrates .env files, SSH keys, shell history, Solana wallet configs (id.json), and crypto-keyword documents to ghostraper.top via 5 API endpoints during postinstall. On Linux, injects an attacker SSH public key (raymondcasy@gmail.com) into ~/.ssh/authorized_keys for persistent backdoor access. On macOS/Windows, steals Telegram Desktop session data (tdata) via gzipped upload with deduplication check. **Trigger** (`postinstall`): executes `node dist/index.js` which loads `dist/logger.js` via `require('./logger')`. **Collection**: `_sfr()` recursively scans home directories (depth 15) for `.env`, `id.json`, `config.toml`, and documents matching crypto keywords (wallet, mnemonic, seed, metamask, phantom, etc.). `_ssi()` collects OS platform, IPv4 addresses from `os.networkInterfaces()`, and username. Shell history read from `~/.bash_history`, `~/.zsh_history`, `~/.local/share/fish/fish_history`, PowerShell `ConsoleHost_history.txt`. **SSH backdoor** (Linux): `_ark()` appends attacker RSA public key to `~/.ssh/authorized_keys`. **Telegram theft** (macOS/Windows): `_stia()` checks `ghostraper.top/api/validate/tdata/check` for dedup, then gzip-compresses and uploads `tdata/` directory. **Exfiltration**: HTTP POST to the following endpoints with `Content-Type: application/json` (or `application/gzip` for tdata): `https://ghostraper.top/api/validate/system-info`, `https://ghostraper.top/api/validate/project-env`, `https://ghostraper.top/api/validate/files`, `https://ghostraper.top/api/validate/tdata/upload`. C2 URL constructed via `['https://', 'ghostraper.top'].join('')` to evade static detection.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownterminal-formatter1.0.0 (affected)

References

vendor

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›