VDB

GCVE-110-OSM-2026-2605

GCVE-110-OSM-2026-2605
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 17, 2026
Exfiltrates 18 credential types (GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DATABASE_URL, DB_PASSWORD, API_KEY, SECRET_KEY, JWT_SECRET, STRIPE_SECRET_KEY, VERCEL_TOKEN, DOCKER_PASSWORD, FIREBASE_TOKEN, SLACK_TOKEN, DISCORD_TOKEN, GH_TOKEN, npm_token), .env files from up to 6 parent directories, ~/.npmrc contents, and SSH key existence probes (~/.ssh/id_rsa, ~/.ssh/id_ed25519) via HTTPS POST to csec-supply-chain-attack.vercel.app/e. Obfuscated payload self-deletes after exfiltration to conceal evidence. **Trigger** (`postinstall`): executes `node setup.js` at install time. **Deobfuscation**: setup.js contains a custom XOR-obfuscated payload — the encoded string is reversed, '!' replaced with '=', base64-decoded, then XOR'd with key 'OrDeR_7077' (constant 333). Decoded payload executed via `new Function('require','__dirname','__filename', decoded_string)`. **Collection**: reads 18 named credential environment variables from `process.env`. Walks up to 6 parent directories collecting .env, .env.local, .env.production, .env.development files and parses all key=value pairs. Reads ~/.npmrc content directly. Probes existence of ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.env, ~/.git-credentials. Collects hostname, username, platform, arch, homedir, Node version, IPv4 network interfaces with MAC addresses. **Exfiltration**: POSTs all collected data to `https://csec-supply-chain-attack.vercel.app/e`. **Anti-forensics**: after 500ms delay, deletes setup.js and renames package.md (clean copy) to package.json to remove evidence of the malicious postinstall hook.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownccsec-crypto-toolkit4.5.1 (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›