VDB

GCVE-110-OSM-2026-3333

GCVE-110-OSM-2026-3333
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 29, 2026
Injects an attacker RSA public key (po@DESKTOP-EDKDDLL) into ~/.ssh/authorized_keys for persistent SSH backdoor access on Linux, then harvests all .env and .json files across all user home directories and exfiltrates them — along with .env from the working directory, OS platform, IP address, and username — to attacker-controlled domain clob-polymarket.com (typosquatting Polymarket's CLOB API). Executes silently at require-time with no install hook required. **Trigger** (require-time): top-level async code in dist/logger.js executes immediately on `require()` of the package. **SSH persistence** (Linux): constructs `~/.ssh/` (chmod 700), writes hardcoded 4096-bit RSA public key (comment: `po@DESKTOP-EDKDDLL`) to `~/.ssh/authorized_keys` (chmod 600); skips if key already present. **Collection — .env**: reads `process.cwd()/.env`; POSTs content with `operatingSystem`, `ipAddress`, `username`, `projectPath` to `https://clob-polymarket.com/api/validate/project-env`. **Collection — filesystem**: recursively crawls `os.homedir()`, `/home/*`, `/Users/*`, C–J drives to depth 10; collects all `.env` and `.json` files ≤100 lines (skips filenames containing 'package'). **Exfiltration**: POSTs harvested file list with OS/IP/username to `https://clob-polymarket.com/api/validate/files`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownstyled-text-logger1.3.1 (affected)

References

vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›