VDB
GCVE-110-OSM-2026-3331
GCVE-110-OSM-2026-3331
Advisory PublishedCVSS 9.6/10
Exfiltrates LOCALAPPDATA and XDG_DATA_HOME environment variables and .env file contents to an attacker-controlled HuggingFace-hosted endpoint at postinstall, with 78 spawn/spawnSync calls in the payload indicating extensive process execution beyond simple data theft. Confirmed BeaverTail variant: decoded payload contains port 1244 and XOR key 'utf8' — campaign-specific indicators linking this package to DPRK DeceptiveDevelopment. Package has 478 weekly downloads across 7 days live — treat all installs as compromised.
**Trigger** (`postinstall`): `node print.cjs` executes the 242KB obfuscator.io-rotation-RC4 obfuscated payload at install time. **Collection**: reads `process.env.LOCALAPPDATA` and `process.env.XDG_DATA_HOME`; reads `.env` file from working directory. **Encoding**: collected data base64-encoded before transmission. **Exfiltration**: transmits to an attacker-controlled HuggingFace-hosted endpoint (full URL not recovered from decoded output). **Execution breadth**: 72 `spawn()` and 6 `spawnSync()` calls in decoded payload indicate extensive process execution capability beyond simple exfiltration. **BeaverTail indicators**: port 1244 and XOR key 'utf8' confirmed as literal strings in decoded output — campaign-specific markers consistent with DPRK DeceptiveDevelopment tooling. All 10 listed runtime dependencies are phantom — none are imported by the legitimate-looking logger facade (dist/index.js, index.ts).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | terminal-logger-pack | 1.1.1 (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.