VDB
GCVE-110-OSM-2026-4192
GCVE-110-OSM-2026-4192
Advisory PublishedCVSS 9.6/10
Exfiltrates browser credential databases, 71 crypto wallet browser extension vaults, BIP-39 seed phrases, EVM private keys, npm auth tokens, git credentials, and .env secrets to a hardcoded C2 at http://149.28.127.35:8888 via HTTP POST during postinstall - all without user interaction. The same C2 is shared across at least four sibling typosquat packages in the same campaign, confirming active attacker infrastructure.
**Trigger** (`postinstall`): `package.json` postinstall hook executes `node postinstall.js` at install time. **Collection**: `harvest()` reads `~/.npmrc` (npm auth tokens), `~/.env` (API keys, DB connection strings, payment keys, EVM private keys), `~/.git-credentials`; `stealBrowserDBs()` reads Chrome/Brave/Edge Login Data, Cookies, Web Data and Firefox logins.json SQLite files, base64-encoded up to 5KB each; `scanWallets()` enumerates 71 crypto browser extension IDs in Chrome/Brave/Edge Local Extension Settings extracting vault/mnemonic/seed/privateKey values; `scanSeeds()` scans Documents, Desktop, Downloads, OneDrive, Dropbox, keys/, wallet/, crypto/ directories matching BIP-39 wordlists (>=8 words), EVM private keys (0x[a-f0-9]{64}), and keystore JSON. **Exfiltration**: all collected data JSON-serialized and POSTed to `http://149.28.127.35:8888` via `http.request`. C2 URL hardcoded as fallback: `const C2=process.env.C2_URL||'http://149.28.127.35:8888'` (loaders/postinstall.js:6). Decoy `index.js` exports an empty stub.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | joi-pack | 2.0.0 (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.