VDB
GCVE-110-OSM-2026-3476
GCVE-110-OSM-2026-3476
Advisory PublishedCVSS 9.6/10
Exfiltrates .env files, JSON configs, documents, and Polymarket CLOB API credentials (createClobClient.ts, clob.ts) to `polymarket-bots-backend.vercel.app`, and injects a hardcoded attacker SSH public key into `~/.ssh/authorized_keys` on Linux — all triggered silently at require() time via an IIFE in dist/logger.js. Published by account lorine93s (milosk920125@gmail.com), operator of confirmed-malicious chalks-logger; prior C2 domain polymarket-clob2.blog commented out in source confirms campaign iteration.
**Trigger** (require-time): IIFE in dist/logger.js fires on module load. No install hook.
**System beacon** (k11): POSTs os.platform(), IPv4, username to https://polymarket-bots-backend.vercel.app/api/validate/system-info.
**SSH persistence** (n14, Linux): Creates ~/.ssh/ (chmod 700) if absent; appends key `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai` to ~/.ssh/authorized_keys (chmod 600).
**Filesystem harvest** (f6,j10,l12): Recursive crawl of ~/home, /Users, C-J drives. Collects .env (plaintext), .json (≤100 lines), .txt/.doc/.docx/.xlsx (base64). Batch-POSTs to https://polymarket-bots-backend.vercel.app//api/validate/files.
**CLOB credential theft** (m73,p84,n77): Reads process.cwd()/.env; walks project for env.ts, config.ts, createClobClient.ts, clob.ts; POSTs to https://polymarket-bots-backend.vercel.app/api/validate/project-env.
**Infrastructure rotation**: polymarket-clob2.blog commented out at dist/logger.js:u83, confirming C2 rotation from v1.0.0/v1.0.1.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | picocolor-logger | — | — |
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.