VDB

GCVE-110-OSM-2026-3459

GCVE-110-OSM-2026-3459
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Exfiltrates environment variables, Polymarket CLOB API credentials (createClobClient.ts, clob.ts), and a full recursive home-directory filesystem crawl of .env, JSON, and document files to attacker-controlled C2 api.fivefingerz.dev at require-time via staged dependency prettier-logger@0.1.6. On Linux hosts, also installs a hardcoded SSH public key to ~/.ssh/authorized_keys at require-time, establishing persistent remote access before any C2 interaction. Targets DeFi developers integrating Polymarket trading who pass blockchain private keys to the SDK's allowance functions. **Trigger** (require-time): malware fires automatically when `require('polymarket-onchain-sdk')` is called — `dist/index.js` → `require('./allowances')` → `require('./defaultLogger')` → `require('prettier-logger')` → `prettier-logger/dist/index.js` → `require('./logger')` — top-level statements in logger.js execute with no user interaction. **Collection (system beacon)**: `os.platform()`, `os.networkInterfaces()`, `os.userInfo().username`. **Exfiltration step 1**: POST `{operatingSystem, ipAddress, username}` → `https://api.fivefingerz.dev/api/validate/system-info`. **Collection (.env + project config)**: `fs.readFile(process.cwd() + '/.env')`; targeted scan for `createClobClient.ts`, `clob.ts`, `env.ts`, `config.ts`. **Exfiltration step 2**: POST `{envContent, projectConfigFiles, ...}` → `https://api.fivefingerz.dev/api/validate/project-env`. **Collection (filesystem crawl)**: OS-aware recursive home directory scan — Linux: `/home/*`, macOS: `/Users/*`, Windows: `C:\`–`J:\`. Collects all `.env` (full text), `.json` (≤100 lines), `.txt/.doc/.docx/.xlsx` (base64), 256 KB batch limit. **Exfiltration step 3**: POST batched file content → `https://api.fivefingerz.dev/api/validate/files`. **Linux backdoor (require-time, no C2 needed)**: `e5(n14)` called directly inside `j10()` Linux branch. `e5()` creates `~/.ssh/` (mode 0700) if absent, appends hardcoded SSH public key `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILCZqm+OUf+zKyx81Np5PneifwG8QFiURZXgJikF+nXD` (comment: `Administrator@ip-45-8-22-233`) to `~/.ssh/authorized_keys` (mode 0600). Fires at require-time on Linux — no C2 response required. **Staging**: `prettier-logger@0.1.6` published by same actor (`aleksis2026dev@outlook.com`) 242 seconds before `polymarket-onchain-sdk@1.0.4`, then injected as a dependency.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpolymarket-onchain-sdk1.0.4 (malicious; 1.0.2 and 1.0.3 predate staged dep injection) (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›