VDB
GCVE-110-OSM-2026-2601
GCVE-110-OSM-2026-2601
Advisory PublishedCVSS 8.8/10
Typosquat credential stealer disguised as a crypto utility library. Executes XOR-obfuscated payload via postinstall hook that harvests environment files, tokens, SSH keys, AWS credentials, and system info, then exfiltrates via HTTPS POST to a Vercel-hosted C2.
The postinstall hook runs setup.js, which decodes an obfuscated blob using string reversal, base64 with '!' substituted for '=' padding, and XOR cipher (key 'OrDeR_7077', constant 0x4D). The decoded payload executes via new Function() constructor. It traverses up to 6 parent directories harvesting .env, .env.local, .env.production, and .env.development files. It reads 18 named environment variables from process.env (GITHUB_TOKEN, GH_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DATABASE_URL, DB_PASSWORD, API_KEY, SECRET_KEY, JWT_SECRET, STRIPE_SECRET_KEY, VERCEL_TOKEN, DOCKER_PASSWORD, FIREBASE_TOKEN, SLACK_TOKEN, DISCORD_TOKEN). It checks for ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.npmrc (reads full content), ~/.env, and ~/.git-credentials. System reconnaissance collects hostname, username, platform, architecture, Node version, home directory, and IPv4 network interfaces with MAC addresses. All data is JSON-serialized and sent via HTTPS POST to https://csec-supply-chain-attack.vercel.app/e with a 3000ms timeout. After exfiltration, setup.js self-deletes after 500ms and replaces package.json with a clean backup (package.md) to remove the postinstall hook evidence.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ccsseecc-crypto-toolkit | 4.5.1 (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.