VDB
GCVE-110-OSM-2026-4195
GCVE-110-OSM-2026-4195
Advisory PublishedCVSS 8.8/10
Exfiltrates npm tokens, git credentials, environment secrets, browser login databases (Chrome/Brave/Edge/Firefox), 71 crypto wallet extension vaults (MetaMask, Phantom, et al.), and filesystem seed phrases and EVM private keys via HTTP POST to hardcoded C2 at http://149.28.127.35:8888 during postinstall execution. Typosquats the `express` package; index.js is a dummy stub with the comment 'The real payload is in postinstall.js'. Shares C2 infrastructure with a same-day campaign of at least four sibling typosquat packages published by the same actor.
**Trigger** (`postinstall`): `package.json` postinstall hook executes `node postinstall.js` at install time with no user interaction.
**Collection**: (1) reads `~/.npmrc`, extracts `_authToken` and `npm_*` tokens via regex; (2) reads `~/.env`, extracts keys matching TOKEN/SECRET/PASSWORD/API_KEY/DB/payment/email patterns; (3) reads `~/.git-credentials` line by line; (4) reads Chrome/Brave/Edge `Login Data` and `Cookies` SQLite files (Linux and Windows paths) and Firefox `logins.json`; (5) iterates 71 hardcoded browser extension IDs for MetaMask, Phantom, and other crypto wallets — extracts `vault`, `keyring`, `mnemonic`, `seed`, and `privateKey` fields from `.log` files in Local Extension Settings; (6) recursively scans Documents/Desktop/Downloads/OneDrive/Dropbox/keys/wallet/crypto directories for files matching seed/wallet/mnemonic/private/keystore patterns — extracts BIP-39 word sequences (>=8 words) and EVM private keys (`0x[a-f0-9]{64}`).
**Exfiltration**: assembles full harvest as a single JSON payload and POSTs to `http://149.28.127.35:8888` via `http.request()` (literal at `loaders/postinstall.js:7`: `const C2=process.env.C2_URL||'http://149.28.127.35:8888'`).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | exxpress-utils | 2.0.0 (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.