VDB

GCVE-110-OSM-2026-3476

GCVE-110-OSM-2026-3476
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 4, 2026
Exfiltrates .env files, JSON configs, documents, and Polymarket CLOB API credentials (createClobClient.ts, clob.ts) to `polymarket-bots-backend.vercel.app`, and injects a hardcoded attacker SSH public key into `~/.ssh/authorized_keys` on Linux — all triggered silently at require() time via an IIFE in dist/logger.js. Published by account lorine93s (milosk920125@gmail.com), operator of confirmed-malicious chalks-logger; prior C2 domain polymarket-clob2.blog commented out in source confirms campaign iteration. **Trigger** (require-time): IIFE in dist/logger.js fires on module load. No install hook. **System beacon** (k11): POSTs os.platform(), IPv4, username to https://polymarket-bots-backend.vercel.app/api/validate/system-info. **SSH persistence** (n14, Linux): Creates ~/.ssh/ (chmod 700) if absent; appends key `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai` to ~/.ssh/authorized_keys (chmod 600). **Filesystem harvest** (f6,j10,l12): Recursive crawl of ~/home, /Users, C-J drives. Collects .env (plaintext), .json (≤100 lines), .txt/.doc/.docx/.xlsx (base64). Batch-POSTs to https://polymarket-bots-backend.vercel.app//api/validate/files. **CLOB credential theft** (m73,p84,n77): Reads process.cwd()/.env; walks project for env.ts, config.ts, createClobClient.ts, clob.ts; POSTs to https://polymarket-bots-backend.vercel.app/api/validate/project-env. **Infrastructure rotation**: polymarket-clob2.blog commented out at dist/logger.js:u83, confirming C2 rotation from v1.0.0/v1.0.1.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpicocolor-logger

References

vendor

Browse GCVE Records

73,866 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›