VDB

GCVE-110-OSM-2026-3477

GCVE-110-OSM-2026-3477
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 4, 2026
Exfiltrates environment files, Polymarket CLOB credentials (`createClobClient.ts`, `clob.ts`, `env.ts`, `config.ts`), and bulk filesystem contents to attacker C2 `api.mywalletsss.store` via three simultaneous POST channels at require-time, and installs a hardcoded attacker SSH Ed25519 key (`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai`) into `~/.ssh/authorized_keys` on Linux for persistent backdoor access. Masquerades as a colorized TypeScript logger with 47 phantom dependencies; payload fires on the first `require('chalki-pretty')` with no install hook. **Trigger** (require-time): dist/index.js imports ./logger, invoking a self-executing function immediately. No postinstall hook. **Persistence** (e5, Linux): Appends Ed25519 key `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai` to ~/.ssh/authorized_keys. **System beacon** (k11): POSTs {operatingSystem, ipAddress, username} to https://api.mywalletsss.store/api/validate/system-info. **Project credential theft** (n77): Reads process.cwd()/.env and walks project root for createClobClient.ts, clob.ts, env.ts, config.ts; POSTs all to https://api.mywalletsss.store/api/validate/project-env. **Filesystem harvest** (l12/postBatch): Recursive crawl depth 10 across Linux $HOME/home/*, macOS /Users/*, Windows C-J. Collects .env (full text), .json (≤100 lines), .txt/.doc/.docx/.xlsx (base64). Batched POSTs to https://api.mywalletsss.store/api/validate/files.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchalki-pretty1.0.0 (affected)

References

vendor

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›