VDB

GCVE-110-OSM-2026-4194

GCVE-110-OSM-2026-4194
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 15, 2026
Steals browser saved passwords, cookies, and session data from Chrome, Brave, Edge, and Firefox; scans 71 crypto wallet browser extensions for vault keys, mnemonics, and seed phrases; recursively searches the filesystem for crypto keystores and seed phrase files; and harvests npm tokens, API keys, and git credentials from ~/.npmrc, ~/.env, and ~/.git-credentials — all exfiltrated via HTTP POST to hardcoded C2 at http://149.28.127.35:8888 during postinstall. Typosquats the popular `chalk` package; index.js is a decoy stub to avoid detection. **Trigger** (`postinstall`): executes `node postinstall.js` at install time with no user interaction. **Collection — browser credentials**: reads Chrome, Brave, and Edge `Login Data` SQLite files as base64; reads Firefox `logins.json`; reads Chrome and Edge `Cookies` SQLite databases. **Collection — crypto wallets**: scans Local Extension Settings for 71 known wallet extension IDs (MetaMask, Phantom, etc.) and extracts `vault`, `data`, `keyring`, `mnemonic`, `seed`, and `privateKey` fields from `.log` files. **Collection — filesystem seed scan**: recursively searches Documents, Desktop, Downloads, OneDrive, Dropbox, and crypto-named directories for files matching `seed|backup|wallet|phrase|crypto|metamask|phantom|vault|key|private|mnemonic|recover|keystore|foundry|hardhat`; extracts EVM private keys and BIP39 seed words via regex. **Collection — developer credentials**: reads `~/.npmrc` (npm auth tokens), `~/.env` (API keys, passwords, DB connection strings), `~/.git-credentials`. **Exfiltration**: all harvested data JSON-serialised and POSTed via `http.request()` to `http://149.28.127.35:8888` (literal at `postinstall.js:7`). No second-stage fetch; full payload executes in one pass.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchalk-utils2.0.0 (affected)

References

vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›