VDB
GCVE-110-OSM-2026-3478
GCVE-110-OSM-2026-3478
Advisory PublishedCVSS 9.6/10
Exfiltrates project .env files, crypto wallet keystores, and Telegram Desktop session data (full tdata archive) to attacker-controlled C2 at `polymarket-bots-backend.vercel.app` via require-time HTTP POST — fires silently on any import with no install hook. On Linux, permanently backdoors the host by injecting attacker SSH key `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwzFmTsUVxphkQy4Ua6bEeBGqtWCX9VJpXG8Q1Y6TMI` (polymarkeths@gmail.com) into `~/.ssh/authorized_keys`. Targets Polymarket CLOB API developers; published by known-malicious npm account lorine93s (milosk920125@gmail.com) with confirmed C2 rotation from prior domain `polymarket-clob2.blog`.
**Trigger** (require-time IIFE): dist/index.js calls require('./logger'), immediately executing a self-invoking function in dist/logger.js. No install hook.
**System survey**: _ssi() collects os.platform(), IPv4, public IP, username; POSTs to https://polymarket-bots-backend.vercel.app/api/validate.
**Environment exfil**: _spe() reads process.cwd()/.env; POSTs to C2.
**Filesystem harvest**: _saf() recursively crawls home directories at depth 15, collecting .env files, wallet-keyword JSON (keystore, mnemonic, privatekey, seed, wallet, phantom, metamask, trustwallet), and matching documents.
**Telegram session theft** (macOS/Windows): _stia()/_ptg()/_stp() locate Telegram Desktop tdata directory, build custom binary-framed gzip archive (4-byte path-length + path bytes + 4-byte content-length + content bytes), POST with X-Client-OS/IP/User headers. Dedup via _ctas().
**SSH persistence** (Linux): _ark() creates ~/.ssh/ (mode 0700) if absent; appends hardcoded key `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwzFmTsUVxphkQy4Ua6bEeBGqtWCX9VJpXG8Q1Y6TMI polymarkeths@gmail.com` to ~/.ssh/authorized_keys (mode 0600).
**C2**: const _srv = 'https://polymarket-bots-backend.vercel.app/' confirmed literal; commented-out predecessor // const _srv = 'https://polymarket-clob2.blog/' confirms C2 rotation.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chalk-pro-logger | 1.1.2 (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.