VDB
GCVE-110-OSM-2026-2605
GCVE-110-OSM-2026-2605
Advisory PublishedCVSS 8.8/10
Exfiltrates 18 credential types (GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DATABASE_URL, DB_PASSWORD, API_KEY, SECRET_KEY, JWT_SECRET, STRIPE_SECRET_KEY, VERCEL_TOKEN, DOCKER_PASSWORD, FIREBASE_TOKEN, SLACK_TOKEN, DISCORD_TOKEN, GH_TOKEN, npm_token), .env files from up to 6 parent directories, ~/.npmrc contents, and SSH key existence probes (~/.ssh/id_rsa, ~/.ssh/id_ed25519) via HTTPS POST to csec-supply-chain-attack.vercel.app/e. Obfuscated payload self-deletes after exfiltration to conceal evidence.
**Trigger** (`postinstall`): executes `node setup.js` at install time.
**Deobfuscation**: setup.js contains a custom XOR-obfuscated payload — the encoded string is reversed, '!' replaced with '=', base64-decoded, then XOR'd with key 'OrDeR_7077' (constant 333). Decoded payload executed via `new Function('require','__dirname','__filename', decoded_string)`.
**Collection**: reads 18 named credential environment variables from `process.env`. Walks up to 6 parent directories collecting .env, .env.local, .env.production, .env.development files and parses all key=value pairs. Reads ~/.npmrc content directly. Probes existence of ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.env, ~/.git-credentials. Collects hostname, username, platform, arch, homedir, Node version, IPv4 network interfaces with MAC addresses.
**Exfiltration**: POSTs all collected data to `https://csec-supply-chain-attack.vercel.app/e`.
**Anti-forensics**: after 500ms delay, deletes setup.js and renames package.md (clean copy) to package.json to remove evidence of the malicious postinstall hook.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ccsec-crypto-toolkit | 4.5.1 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.