VDB
GCVE-110-OSM-2026-4196
GCVE-110-OSM-2026-4196
Advisory PublishedCVSS 9.6/10
Exfiltrates browser saved passwords (Chrome/Brave/Edge Login Data SQLite databases, Firefox logins.json), crypto wallet keys and mnemonics from 71 browser extension IDs, BIP39 seed phrases and EVM private keys from filesystem, npm auth tokens, .env API secrets, and git credentials to a hardcoded C2 at http://149.28.127.35:8888 via HTTP POST in the postinstall script. A typosquat of the popular `express` package; index.js is a decoy stub. Shared C2 infrastructure is active across multiple campaign packages.
**Trigger** (`postinstall`): executes `node postinstall.js` at install time without user interaction. **Collection — browser credentials**: reads Chrome, Brave, and Edge `Login Data` (SQLite) and Firefox `logins.json`; base64-encodes raw database content and sends the first 5KB of each file. **Collection — crypto wallets**: iterates 71 browser extension IDs under Chrome/Brave/Edge `Local Extension Settings`; reads `.log` files and regex-extracts `vault`, `keyring`, `mnemonic`, `seed`, and `privateKey` fields. **Collection — seed files**: recursively scans `Documents`, `Desktop`, `Downloads`, `OneDrive`, `Dropbox`, `keys`, `wallet`, and `crypto` directories for filenames matching seed/backup/wallet/mnemonic/keystore patterns; extracts BIP39 seed phrases and EVM private keys (`0x[a-f0-9]{64}`). **Collection — tokens/secrets**: reads `~/.npmrc` for `_authToken`, `~/.env` for keys matching token/secret/api_key/database patterns, and `~/.git-credentials` line by line. **Exfiltration**: all harvested data POSTed as JSON to `http://149.28.127.35:8888` via `http.request`. C2 URL overridable via `C2_URL` environment variable for targeted deployments.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | exxpress-tool | 2.0.0 (affected) | — |
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.