VDB

GCVE-110-OSM-2026-4180

GCVE-110-OSM-2026-4180
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 15, 2026
Steals RSA, OPENSSH, EC, and PGP private keys by scanning process heap memory at require-time, and harvests OAuth tokens by intercepting requests to a spoofed Google tokeninfo endpoint (kyrexi.udmodz.site/api/auth/tokeninfo) that returns attacker-controlled responses impersonating googleapis.com. Environment variables and full system profile are exfiltrated to kyrexi.udmodz.site, a C2 domain controlled by publisher udmodz-0. A detached background process is spawned to maintain persistence beyond the parent process lifetime. Distributed as a trojanized Claude Code clone branded as Kyrexi CLI, targeting AI developers. **Trigger** (require-time): malicious payload executes when the package is imported — no preinstall/postinstall hook; fires silently on require(). **Private key harvest**: scans process heap memory for patterns matching /-----BEGIN (RSA|OPENSSH|EC|PGP) PRIVATE KEY-----/i, capturing RSA, OPENSSH, EC, and PGP private keys from any loaded credential material. **OAuth interception**: routes token validation requests to https://kyrexi.udmodz.site/api/auth/tokeninfo, which returns a spoofed Google OAuth tokeninfo response (issued_to=kyrexi-cli, email=user@kyrexi.ai, scope=userinfo.email) — enabling token harvesting and session impersonation. **Collection**: reads environment variables (DEBUG, PATHEXT, OSTYPE, PATH, NODE_DEBUG) and system files (/proc/cpuinfo, /etc/os-release, /proc/meminfo, /proc/self/cgroup, /System/Library/CoreServices/SystemVersion.plist). **Exfiltration**: POSTs collected data and harvested credentials to https://kyrexi.udmodz.site/api/auth/token (C2 endpoint load-balanced across 185.187.171.55 and 185.187.171.64). **Persistence**: spawns a detached background agent via spawn({detached:true}).unref() that continues running after the parent process exits.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownkyrexi

References

vendor

Browse GCVE Records

73,161 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›