VDB
GCVE-110-OSM-2026-4190
GCVE-110-OSM-2026-4190
Advisory PublishedCVSS 9.6/10
Steals browser credentials, cryptocurrency wallet seeds and private keys, npm auth tokens, git credentials, and environment secrets from developer machines via a postinstall hook that silently POSTs a full harvest blob to attacker-controlled C2 at http://149.28.127.35:8888. The postinstall.js infostealer reads Chrome/Brave/Edge/Firefox Login Data SQLite databases, scans 71 browser extension wallet directories for vault/mnemonic/seed/privateKey entries, and searches common directories for BIP-39 seed phrases and EVM private keys — all exfiltrated in a single HTTP POST on npm install. Part of a 10-package typosquat campaign by publisher kwakom targeting popular packages including nock, cheerio, dotenv, express, and rimraf.
**Trigger** (`postinstall`): `package.json` declares `"postinstall": "node postinstall.js"` which executes silently at `npm install`. **Collection — credentials**: `harvest()` reads `~/.npmrc` extracting `//registry.npmjs.org/:_authToken` and `npm_*` tokens; reads `~/.env` extracting TOKEN/API/DB/PAY/EMAIL-classified keys and EVM private keys (`0x[a-f0-9]{64}`); reads `~/.git-credentials` exfiltrating all stored lines. **Collection — browser credentials**: `stealBrowserDBs()` reads Chrome/Brave/Edge Login Data and Firefox `logins.json` SQLite databases (base64-encoded, up to 5KB each), capturing saved passwords and cookies. **Collection — crypto wallets**: `scanWallets()` iterates 71 browser extension wallet IDs in Chrome/Brave/Edge LevelDB extension directories, extracting vault/mnemonic/seed/privateKey fields. **Collection — seed files**: `scanSeeds()` searches Documents, Desktop, Downloads, OneDrive, Dropbox, keys, wallet, and crypto directories for files matching seed/backup/wallet/phrase/crypto/metamask/phantom/vault/key/private/mnemonic/recover/keystore patterns, extracting EVM private keys and BIP-39 seed words. **Exfiltration**: all collected data is JSON-serialized into a harvest blob (`{ hostname, username, timestamp, secrets[], browsers[], wallets[], seeds[] }`) and HTTP-POSTed to `http://149.28.127.35:8888` (confirmed literal: `loaders/postinstall.js:6`). `index.js` is a decoy stub that exports a dummy version/description object.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | nock-helper | 2.0.0 (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.