VDB
GCVE-110-OSM-2026-4180
GCVE-110-OSM-2026-4180
Advisory PublishedCVSS 9.6/10
Steals RSA, OPENSSH, EC, and PGP private keys by scanning process heap memory at require-time, and harvests OAuth tokens by intercepting requests to a spoofed Google tokeninfo endpoint (kyrexi.udmodz.site/api/auth/tokeninfo) that returns attacker-controlled responses impersonating googleapis.com. Environment variables and full system profile are exfiltrated to kyrexi.udmodz.site, a C2 domain controlled by publisher udmodz-0. A detached background process is spawned to maintain persistence beyond the parent process lifetime. Distributed as a trojanized Claude Code clone branded as Kyrexi CLI, targeting AI developers.
**Trigger** (require-time): malicious payload executes when the package is imported — no preinstall/postinstall hook; fires silently on require().
**Private key harvest**: scans process heap memory for patterns matching /-----BEGIN (RSA|OPENSSH|EC|PGP) PRIVATE KEY-----/i, capturing RSA, OPENSSH, EC, and PGP private keys from any loaded credential material.
**OAuth interception**: routes token validation requests to https://kyrexi.udmodz.site/api/auth/tokeninfo, which returns a spoofed Google OAuth tokeninfo response (issued_to=kyrexi-cli, email=user@kyrexi.ai, scope=userinfo.email) — enabling token harvesting and session impersonation.
**Collection**: reads environment variables (DEBUG, PATHEXT, OSTYPE, PATH, NODE_DEBUG) and system files (/proc/cpuinfo, /etc/os-release, /proc/meminfo, /proc/self/cgroup, /System/Library/CoreServices/SystemVersion.plist).
**Exfiltration**: POSTs collected data and harvested credentials to https://kyrexi.udmodz.site/api/auth/token (C2 endpoint load-balanced across 185.187.171.55 and 185.187.171.64).
**Persistence**: spawns a detached background agent via spawn({detached:true}).unref() that continues running after the parent process exits.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | kyrexi | — | — |
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.