VDB
GCVE-110-OSM-2026-4191
GCVE-110-OSM-2026-4191
Advisory PublishedCVSS 9.6/10
Steals browser saved passwords, cookies, and crypto wallet seeds from 71 browser extension vaults (MetaMask, Phantom, Coinbase) via a postinstall hook that fires silently at install time, then exfiltrates all collected credentials and filesystem seed phrase files to a hardcoded C2 at http://149.28.127.35:8888 via HTTP POST. Also harvests npm auth tokens, .env API keys, EVM private keys, and git credentials. Typosquat of the legitimate cheerio HTML-parsing library.
**Trigger** (`postinstall`): executes `node postinstall.js` at install time with no user interaction.
**Collection — browser credentials**: reads Login Data SQLite files from Chrome, Brave, Edge, and Firefox profile paths (cross-platform Windows and Linux paths); base64-encodes contents before transmission.
**Collection — browser cookies**: reads Cookies SQLite from Chrome, Edge, and Brave profile directories.
**Collection — crypto wallets**: iterates 71 hardcoded browser extension IDs (MetaMask: nkbihfbeogaeaoehlefnkodbefgpgknn, Phantom: bfnaelmomeimhlpmgjnjophhpkkoljpa, Coinbase and others); scans extension Local Storage .log files for vault, keyring, mnemonic, seed, privateKey patterns.
**Collection — filesystem seed scan**: recursively searches Documents, Desktop, Downloads, OneDrive, Dropbox, keys, wallet, and crypto directories for filenames matching seed|backup|wallet|phrase|crypto|metamask|phantom|vault|key|private|mnemonic|recover|keystore; extracts BIP-39 mnemonic phrases (>=8 word matches), EVM private keys (regex 0x[a-f0-9]{64}), and JSON keystores.
**Collection — secrets files**: reads ~/.npmrc (npm auth tokens), ~/.env (TOKEN/API/DB/PAY/EMAIL keys and EVM private keys), ~/.git-credentials (git credentials).
**Exfiltration**: all collected data JSON-serialized and transmitted via HTTP POST to `http://149.28.127.35:8888` — C2 defined as constant `const C2 = process.env.C2_URL || 'http://149.28.127.35:8888'` in postinstall.js.
**Decoy**: index.js contains a developer comment stating 'The real payload is in postinstall.js' — confirms intentional misdirection.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cheerio-tool | 2.0.0 (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.