VDB

GCVE-110-OSM-2026-4198

GCVE-110-OSM-2026-4198
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 15, 2026
Steals browser credentials (Chrome, Brave, Edge, Firefox login databases and cookies), cryptocurrency wallet keys and seed phrases from 71 wallet extensions and local filesystem, npm auth tokens, .env API secrets, and git credentials — all exfiltrated via HTTP POST to hardcoded C2 at http://149.28.127.35:8888 during postinstall. Typosquats the chalk package; index.js is a decoy stub. Part of a coordinated campaign sharing C2 infrastructure with at least four other malicious typosquat packages. **Trigger** (`postinstall`): executes `node postinstall.js` at install time. **Browser credential theft**: reads Chrome/Brave/Edge `Login Data` SQLite files and `Cookies` databases; reads Firefox `logins.json`; base64-encodes and includes extracted credentials and URL lists. **Crypto wallet theft**: iterates WALLET_IDS array (71 browser extension IDs including MetaMask and Phantom) scanning extension `.log` files for `vault`, `mnemonic`, `seed`, `privateKey` patterns. **Seed phrase / keystore scan**: walks Documents, Desktop, Downloads, OneDrive, Dropbox, keys, wallet, crypto directories matching filenames containing `seed|backup|wallet|phrase|crypto|metamask|phantom|vault|key|private|mnemonic`; extracts EVM private keys (`0x[a-f0-9]{64}`) and BIP-39 seed word sequences. **Token theft**: reads `~/.npmrc` and `~/.env` for npm `_authToken` / `npm_[a-zA-Z0-9]{36}` patterns and API secrets matching `token|secret|password|api key|database|stripe|paypal|sendgrid|mailgun`. **Git credentials**: reads `~/.git-credentials` in full. **Exfiltration**: all data JSON-serialized and sent via `http.request` POST to `http://149.28.127.35:8888` (literal at `loaders/postinstall.js:8`).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchalk-pack2.0.0 (affected)

References

vendor

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›