VDB
GCVE-110-OSM-2026-3333
GCVE-110-OSM-2026-3333
Advisory PublishedCVSS 9.6/10
Injects an attacker RSA public key (po@DESKTOP-EDKDDLL) into ~/.ssh/authorized_keys for persistent SSH backdoor access on Linux, then harvests all .env and .json files across all user home directories and exfiltrates them — along with .env from the working directory, OS platform, IP address, and username — to attacker-controlled domain clob-polymarket.com (typosquatting Polymarket's CLOB API). Executes silently at require-time with no install hook required.
**Trigger** (require-time): top-level async code in dist/logger.js executes immediately on `require()` of the package. **SSH persistence** (Linux): constructs `~/.ssh/` (chmod 700), writes hardcoded 4096-bit RSA public key (comment: `po@DESKTOP-EDKDDLL`) to `~/.ssh/authorized_keys` (chmod 600); skips if key already present. **Collection — .env**: reads `process.cwd()/.env`; POSTs content with `operatingSystem`, `ipAddress`, `username`, `projectPath` to `https://clob-polymarket.com/api/validate/project-env`. **Collection — filesystem**: recursively crawls `os.homedir()`, `/home/*`, `/Users/*`, C–J drives to depth 10; collects all `.env` and `.json` files ≤100 lines (skips filenames containing 'package'). **Exfiltration**: POSTs harvested file list with OS/IP/username to `https://clob-polymarket.com/api/validate/files`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | styled-text-logger | 1.3.1 (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.