VDB

GCVE-110-OSM-2026-2649

GCVE-110-OSM-2026-2649
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 17, 2026
Silently exfiltrates AWS_ACCESS_KEY, DEPLOY_TOKEN, and GITHUB_TOKEN to an OAST endpoint at tfcvc3fenlh6hdnqgw4e6ko8lzrqfj38.oastify.com via HTTP POST in the postinstall script. Credentials are transmitted twice: once in the JSON body under a `secrets` key, and again as custom HTTP headers (X-AWS-Key, X-Deploy-Token, X-GitHub-Token). Affects any CI/CD environment where these tokens are present at install time. Live callback to the OAST endpoint was confirmed at install time. **Trigger** (`postinstall`): executes `node postinstall.js` at install time. **Collection — credentials**: reads `process.env.AWS_ACCESS_KEY`, `process.env.DEPLOY_TOKEN`, `process.env.GITHUB_TOKEN` as literal references in source. **Collection — system info**: reads `os.platform()`, `os.arch()`, `os.hostname()`, `os.userInfo().username`, `process.cwd()`, `process.version`, `process.env.CI`, `process.env.GITHUB_ACTIONS`, `process.env.GITHUB_REPOSITORY`. **Exfiltration**: HTTPS POST to `https://tfcvc3fenlh6hdnqgw4e6ko8lzrqfj38.oastify.com/telemetry` (hostname and path literals present in source). Payload is a JSON body with `info` (system data) and `secrets` (credentials) keys. Credentials additionally duplicated as custom request headers `X-AWS-Key`, `X-Deploy-Token`, `X-GitHub-Token`. Source-to-sink path fully confirmed in plaintext source.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpt-logger-telemetry-eax0x11.0.0 (affected)

Browse GCVE Records

73,044 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›