VDB

GCVE-110-OSM-2026-4195

GCVE-110-OSM-2026-4195
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 15, 2026
Exfiltrates npm tokens, git credentials, environment secrets, browser login databases (Chrome/Brave/Edge/Firefox), 71 crypto wallet extension vaults (MetaMask, Phantom, et al.), and filesystem seed phrases and EVM private keys via HTTP POST to hardcoded C2 at http://149.28.127.35:8888 during postinstall execution. Typosquats the `express` package; index.js is a dummy stub with the comment 'The real payload is in postinstall.js'. Shares C2 infrastructure with a same-day campaign of at least four sibling typosquat packages published by the same actor. **Trigger** (`postinstall`): `package.json` postinstall hook executes `node postinstall.js` at install time with no user interaction. **Collection**: (1) reads `~/.npmrc`, extracts `_authToken` and `npm_*` tokens via regex; (2) reads `~/.env`, extracts keys matching TOKEN/SECRET/PASSWORD/API_KEY/DB/payment/email patterns; (3) reads `~/.git-credentials` line by line; (4) reads Chrome/Brave/Edge `Login Data` and `Cookies` SQLite files (Linux and Windows paths) and Firefox `logins.json`; (5) iterates 71 hardcoded browser extension IDs for MetaMask, Phantom, and other crypto wallets — extracts `vault`, `keyring`, `mnemonic`, `seed`, and `privateKey` fields from `.log` files in Local Extension Settings; (6) recursively scans Documents/Desktop/Downloads/OneDrive/Dropbox/keys/wallet/crypto directories for files matching seed/wallet/mnemonic/private/keystore patterns — extracts BIP-39 word sequences (>=8 words) and EVM private keys (`0x[a-f0-9]{64}`). **Exfiltration**: assembles full harvest as a single JSON payload and POSTs to `http://149.28.127.35:8888` via `http.request()` (literal at `loaders/postinstall.js:7`: `const C2=process.env.C2_URL||'http://149.28.127.35:8888'`).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownexxpress-utils2.0.0 (affected)

References

vendor

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›