VDB

GCVE-110-OSM-2026-4191

GCVE-110-OSM-2026-4191
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 15, 2026
Steals browser saved passwords, cookies, and crypto wallet seeds from 71 browser extension vaults (MetaMask, Phantom, Coinbase) via a postinstall hook that fires silently at install time, then exfiltrates all collected credentials and filesystem seed phrase files to a hardcoded C2 at http://149.28.127.35:8888 via HTTP POST. Also harvests npm auth tokens, .env API keys, EVM private keys, and git credentials. Typosquat of the legitimate cheerio HTML-parsing library. **Trigger** (`postinstall`): executes `node postinstall.js` at install time with no user interaction. **Collection — browser credentials**: reads Login Data SQLite files from Chrome, Brave, Edge, and Firefox profile paths (cross-platform Windows and Linux paths); base64-encodes contents before transmission. **Collection — browser cookies**: reads Cookies SQLite from Chrome, Edge, and Brave profile directories. **Collection — crypto wallets**: iterates 71 hardcoded browser extension IDs (MetaMask: nkbihfbeogaeaoehlefnkodbefgpgknn, Phantom: bfnaelmomeimhlpmgjnjophhpkkoljpa, Coinbase and others); scans extension Local Storage .log files for vault, keyring, mnemonic, seed, privateKey patterns. **Collection — filesystem seed scan**: recursively searches Documents, Desktop, Downloads, OneDrive, Dropbox, keys, wallet, and crypto directories for filenames matching seed|backup|wallet|phrase|crypto|metamask|phantom|vault|key|private|mnemonic|recover|keystore; extracts BIP-39 mnemonic phrases (>=8 word matches), EVM private keys (regex 0x[a-f0-9]{64}), and JSON keystores. **Collection — secrets files**: reads ~/.npmrc (npm auth tokens), ~/.env (TOKEN/API/DB/PAY/EMAIL keys and EVM private keys), ~/.git-credentials (git credentials). **Exfiltration**: all collected data JSON-serialized and transmitted via HTTP POST to `http://149.28.127.35:8888` — C2 defined as constant `const C2 = process.env.C2_URL || 'http://149.28.127.35:8888'` in postinstall.js. **Decoy**: index.js contains a developer comment stating 'The real payload is in postinstall.js' — confirms intentional misdirection.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncheerio-tool2.0.0 (affected)

References

vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›