VDB

GCVE-110-OSM-2026-4196

GCVE-110-OSM-2026-4196
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 15, 2026
Exfiltrates browser saved passwords (Chrome/Brave/Edge Login Data SQLite databases, Firefox logins.json), crypto wallet keys and mnemonics from 71 browser extension IDs, BIP39 seed phrases and EVM private keys from filesystem, npm auth tokens, .env API secrets, and git credentials to a hardcoded C2 at http://149.28.127.35:8888 via HTTP POST in the postinstall script. A typosquat of the popular `express` package; index.js is a decoy stub. Shared C2 infrastructure is active across multiple campaign packages. **Trigger** (`postinstall`): executes `node postinstall.js` at install time without user interaction. **Collection — browser credentials**: reads Chrome, Brave, and Edge `Login Data` (SQLite) and Firefox `logins.json`; base64-encodes raw database content and sends the first 5KB of each file. **Collection — crypto wallets**: iterates 71 browser extension IDs under Chrome/Brave/Edge `Local Extension Settings`; reads `.log` files and regex-extracts `vault`, `keyring`, `mnemonic`, `seed`, and `privateKey` fields. **Collection — seed files**: recursively scans `Documents`, `Desktop`, `Downloads`, `OneDrive`, `Dropbox`, `keys`, `wallet`, and `crypto` directories for filenames matching seed/backup/wallet/mnemonic/keystore patterns; extracts BIP39 seed phrases and EVM private keys (`0x[a-f0-9]{64}`). **Collection — tokens/secrets**: reads `~/.npmrc` for `_authToken`, `~/.env` for keys matching token/secret/api_key/database patterns, and `~/.git-credentials` line by line. **Exfiltration**: all harvested data POSTed as JSON to `http://149.28.127.35:8888` via `http.request`. C2 URL overridable via `C2_URL` environment variable for targeted deployments.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownexxpress-tool2.0.0 (affected)

References

vendor

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›