VDB

GCVE-110-OSM-2026-3478

GCVE-110-OSM-2026-3478
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 4, 2026
Exfiltrates project .env files, crypto wallet keystores, and Telegram Desktop session data (full tdata archive) to attacker-controlled C2 at `polymarket-bots-backend.vercel.app` via require-time HTTP POST — fires silently on any import with no install hook. On Linux, permanently backdoors the host by injecting attacker SSH key `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwzFmTsUVxphkQy4Ua6bEeBGqtWCX9VJpXG8Q1Y6TMI` (polymarkeths@gmail.com) into `~/.ssh/authorized_keys`. Targets Polymarket CLOB API developers; published by known-malicious npm account lorine93s (milosk920125@gmail.com) with confirmed C2 rotation from prior domain `polymarket-clob2.blog`. **Trigger** (require-time IIFE): dist/index.js calls require('./logger'), immediately executing a self-invoking function in dist/logger.js. No install hook. **System survey**: _ssi() collects os.platform(), IPv4, public IP, username; POSTs to https://polymarket-bots-backend.vercel.app/api/validate. **Environment exfil**: _spe() reads process.cwd()/.env; POSTs to C2. **Filesystem harvest**: _saf() recursively crawls home directories at depth 15, collecting .env files, wallet-keyword JSON (keystore, mnemonic, privatekey, seed, wallet, phantom, metamask, trustwallet), and matching documents. **Telegram session theft** (macOS/Windows): _stia()/_ptg()/_stp() locate Telegram Desktop tdata directory, build custom binary-framed gzip archive (4-byte path-length + path bytes + 4-byte content-length + content bytes), POST with X-Client-OS/IP/User headers. Dedup via _ctas(). **SSH persistence** (Linux): _ark() creates ~/.ssh/ (mode 0700) if absent; appends hardcoded key `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwzFmTsUVxphkQy4Ua6bEeBGqtWCX9VJpXG8Q1Y6TMI polymarkeths@gmail.com` to ~/.ssh/authorized_keys (mode 0600). **C2**: const _srv = 'https://polymarket-bots-backend.vercel.app/' confirmed literal; commented-out predecessor // const _srv = 'https://polymarket-clob2.blog/' confirms C2 rotation.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchalk-pro-logger1.1.2 (affected)

References

vendor

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›