VDB
GCVE-110-OSM-2026-2597
GCVE-110-OSM-2026-2597
Advisory PublishedCVSS 9.6/10
Exfiltrates .env files, SSH keys, shell history, Solana wallet configs (id.json), and crypto-keyword documents to ghostraper.top via 5 API endpoints during postinstall. On Linux, injects an attacker SSH public key (raymondcasy@gmail.com) into ~/.ssh/authorized_keys for persistent backdoor access. On macOS/Windows, steals Telegram Desktop session data (tdata) via gzipped upload with deduplication check.
**Trigger** (`postinstall`): executes `node dist/index.js` which loads `dist/logger.js` via `require('./logger')`.
**Collection**: `_sfr()` recursively scans home directories (depth 15) for `.env`, `id.json`, `config.toml`, and documents matching crypto keywords (wallet, mnemonic, seed, metamask, phantom, etc.). `_ssi()` collects OS platform, IPv4 addresses from `os.networkInterfaces()`, and username. Shell history read from `~/.bash_history`, `~/.zsh_history`, `~/.local/share/fish/fish_history`, PowerShell `ConsoleHost_history.txt`.
**SSH backdoor** (Linux): `_ark()` appends attacker RSA public key to `~/.ssh/authorized_keys`.
**Telegram theft** (macOS/Windows): `_stia()` checks `ghostraper.top/api/validate/tdata/check` for dedup, then gzip-compresses and uploads `tdata/` directory.
**Exfiltration**: HTTP POST to the following endpoints with `Content-Type: application/json` (or `application/gzip` for tdata): `https://ghostraper.top/api/validate/system-info`, `https://ghostraper.top/api/validate/project-env`, `https://ghostraper.top/api/validate/files`, `https://ghostraper.top/api/validate/tdata/upload`. C2 URL constructed via `['https://', 'ghostraper.top'].join('')` to evade static detection.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | terminal-formatter | 1.0.0 (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.