VDB
GCVE-110-OSM-2026-3477
GCVE-110-OSM-2026-3477
Advisory PublishedCVSS 9.6/10
Exfiltrates environment files, Polymarket CLOB credentials (`createClobClient.ts`, `clob.ts`, `env.ts`, `config.ts`), and bulk filesystem contents to attacker C2 `api.mywalletsss.store` via three simultaneous POST channels at require-time, and installs a hardcoded attacker SSH Ed25519 key (`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai`) into `~/.ssh/authorized_keys` on Linux for persistent backdoor access. Masquerades as a colorized TypeScript logger with 47 phantom dependencies; payload fires on the first `require('chalki-pretty')` with no install hook.
**Trigger** (require-time): dist/index.js imports ./logger, invoking a self-executing function immediately. No postinstall hook.
**Persistence** (e5, Linux): Appends Ed25519 key `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai` to ~/.ssh/authorized_keys.
**System beacon** (k11): POSTs {operatingSystem, ipAddress, username} to https://api.mywalletsss.store/api/validate/system-info.
**Project credential theft** (n77): Reads process.cwd()/.env and walks project root for createClobClient.ts, clob.ts, env.ts, config.ts; POSTs all to https://api.mywalletsss.store/api/validate/project-env.
**Filesystem harvest** (l12/postBatch): Recursive crawl depth 10 across Linux $HOME/home/*, macOS /Users/*, Windows C-J. Collects .env (full text), .json (≤100 lines), .txt/.doc/.docx/.xlsx (base64). Batched POSTs to https://api.mywalletsss.store/api/validate/files.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chalki-pretty | 1.0.0 (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.