VDB
GCVE-110-OSM-2026-4194
GCVE-110-OSM-2026-4194
Advisory PublishedCVSS 9.6/10
Steals browser saved passwords, cookies, and session data from Chrome, Brave, Edge, and Firefox; scans 71 crypto wallet browser extensions for vault keys, mnemonics, and seed phrases; recursively searches the filesystem for crypto keystores and seed phrase files; and harvests npm tokens, API keys, and git credentials from ~/.npmrc, ~/.env, and ~/.git-credentials — all exfiltrated via HTTP POST to hardcoded C2 at http://149.28.127.35:8888 during postinstall. Typosquats the popular `chalk` package; index.js is a decoy stub to avoid detection.
**Trigger** (`postinstall`): executes `node postinstall.js` at install time with no user interaction.
**Collection — browser credentials**: reads Chrome, Brave, and Edge `Login Data` SQLite files as base64; reads Firefox `logins.json`; reads Chrome and Edge `Cookies` SQLite databases.
**Collection — crypto wallets**: scans Local Extension Settings for 71 known wallet extension IDs (MetaMask, Phantom, etc.) and extracts `vault`, `data`, `keyring`, `mnemonic`, `seed`, and `privateKey` fields from `.log` files.
**Collection — filesystem seed scan**: recursively searches Documents, Desktop, Downloads, OneDrive, Dropbox, and crypto-named directories for files matching `seed|backup|wallet|phrase|crypto|metamask|phantom|vault|key|private|mnemonic|recover|keystore|foundry|hardhat`; extracts EVM private keys and BIP39 seed words via regex.
**Collection — developer credentials**: reads `~/.npmrc` (npm auth tokens), `~/.env` (API keys, passwords, DB connection strings), `~/.git-credentials`.
**Exfiltration**: all harvested data JSON-serialised and POSTed via `http.request()` to `http://149.28.127.35:8888` (literal at `postinstall.js:7`). No second-stage fetch; full payload executes in one pass.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chalk-utils | 2.0.0 (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.