VDB
GCVE-110-OSM-2026-4175
GCVE-110-OSM-2026-4175
Advisory PublishedCVSS 8.8/10
Hijacks the Testpad exam application by attaching to its Electron process via Chrome DevTools Protocol, injecting a silent keylogger into every loaded exam page, and exfiltrating captured exam question text to api.groq.com using six hardcoded attacker-controlled Groq API keys. AI-generated answers are injected back into the exam page DOM without user awareness. The package spawns itself as a detached background process and acquires a singleton port lock to persist across sessions.
**Trigger** (`require-time / direct invocation`): cdp_inject.js is invoked directly; no npm install hook present.
**CDP attachment**: Launches Testpad with `--remote-debugging-port=9222` via `child_process.exec`; connects to the local CDP endpoint to enumerate page targets and open a WebSocket debugger session.
**Injection**: Calls `Page.addScriptToEvaluateOnNewDocument` to inject SOLVER_SCRIPT into every page loaded in Testpad. SOLVER_SCRIPT registers a `keydown` listener triggering on CapsLock or simultaneous ArrowLeft+ArrowRight.
**Collection**: On trigger, captures `document.body.innerText`, base64-encodes it, and relays it via `console.warn('_cdp_solve_:' + btoa(payload))` to the CDP host process via `Console.messageAdded` events.
**Exfiltration**: Host process POSTs base64-encoded exam content to `https://api.groq.com/openai/v1/chat/completions` (model: llama-3.3-70b-versatile) using one of six hardcoded Groq API keys (round-robin).
**Answer injection**: AI response is injected into the live exam page via `Runtime.evaluate('window.__cdpReceive(' + JSON.stringify(answer) + ')')` — answer appears silently in the DOM.
**Fetch interception**: `Fetch.enable` intercepts network requests and substitutes a local mock exam environment (mock_server.js serving demo_test.html) to simulate exam content.
**Persistence**: On `--detach` flag, spawns itself as a detached child process (`spawn + unref`) and exits parent. Binds TCP port 9333 as singleton lock; kills any competing process via `netstat -ano | findstr :9333` + `taskkill /F /PID`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cdp-see | 1.0.0 (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.