VDB

GCVE-110-OSM-2026-2601

GCVE-110-OSM-2026-2601
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 17, 2026
Typosquat credential stealer disguised as a crypto utility library. Executes XOR-obfuscated payload via postinstall hook that harvests environment files, tokens, SSH keys, AWS credentials, and system info, then exfiltrates via HTTPS POST to a Vercel-hosted C2. The postinstall hook runs setup.js, which decodes an obfuscated blob using string reversal, base64 with '!' substituted for '=' padding, and XOR cipher (key 'OrDeR_7077', constant 0x4D). The decoded payload executes via new Function() constructor. It traverses up to 6 parent directories harvesting .env, .env.local, .env.production, and .env.development files. It reads 18 named environment variables from process.env (GITHUB_TOKEN, GH_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DATABASE_URL, DB_PASSWORD, API_KEY, SECRET_KEY, JWT_SECRET, STRIPE_SECRET_KEY, VERCEL_TOKEN, DOCKER_PASSWORD, FIREBASE_TOKEN, SLACK_TOKEN, DISCORD_TOKEN). It checks for ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.npmrc (reads full content), ~/.env, and ~/.git-credentials. System reconnaissance collects hostname, username, platform, architecture, Node version, home directory, and IPv4 network interfaces with MAC addresses. All data is JSON-serialized and sent via HTTPS POST to https://csec-supply-chain-attack.vercel.app/e with a 3000ms timeout. After exfiltration, setup.js self-deletes after 500ms and replaces package.json with a clean backup (package.md) to remove the postinstall hook evidence.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownccsseecc-crypto-toolkit4.5.1 (affected)

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›