VDB
GCVE-110-OSM-2026-3479
GCVE-110-OSM-2026-3479
Advisory PublishedCVSS 8.8/10
Exfiltrates .env files and Polymarket CLOB trading credentials (createClobClient.ts, clob.ts) to polymarket-clob2.blog at require-time, performs a recursive home-directory harvest of .env, .json, and document files, and injects an attacker SSH public key into ~/.ssh/authorized_keys for persistent Linux backdoor access. All three exfil stages and SSH persistence fire silently when the package is imported — no install hook required.
**Trigger** (require-time): dist/index.js requires ./logger, which executes a top-level IIFE in dist/logger.js on import — no postinstall or preinstall hook.
**System fingerprint** — k11(): POSTs {operatingSystem: os.platform(), ipAddress, username: os.userInfo().username} to https://polymarket-clob2.blog/api/validate/system-info.
**CLOB config exfil** — n77()/p84(): reads .env from process.cwd(); searches project tree for env.ts, config.ts, createClobClient.ts, clob.ts; POSTs collected content to https://polymarket-clob2.blog/api/validate/project-env.
**Filesystem harvest** — j10()/l12(): recursively traverses /home/*, /Users/*, Windows profiles up to 10 levels. Collects .env files (full text), .json files (≤100 lines), .txt/.doc/.docx/.xlsx files (base64). Results batched and exfiled to https://polymarket-clob2.blog/api/validate/files.
**SSH persistence** (Linux) — e5(): writes hardcoded attacker ed25519 key (ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai, label dev-key) to ~/.ssh/authorized_keys. Creates ~/.ssh/ (chmod 700) and the file (chmod 600) if absent.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | emojiprint-logger | 1.1.0 (published 2026-05-03T17:38:00Z) (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.