VDB
GCVE-110-OSM-2026-4198
GCVE-110-OSM-2026-4198
Advisory PublishedCVSS 9.6/10
Steals browser credentials (Chrome, Brave, Edge, Firefox login databases and cookies), cryptocurrency wallet keys and seed phrases from 71 wallet extensions and local filesystem, npm auth tokens, .env API secrets, and git credentials — all exfiltrated via HTTP POST to hardcoded C2 at http://149.28.127.35:8888 during postinstall. Typosquats the chalk package; index.js is a decoy stub. Part of a coordinated campaign sharing C2 infrastructure with at least four other malicious typosquat packages.
**Trigger** (`postinstall`): executes `node postinstall.js` at install time.
**Browser credential theft**: reads Chrome/Brave/Edge `Login Data` SQLite files and `Cookies` databases; reads Firefox `logins.json`; base64-encodes and includes extracted credentials and URL lists.
**Crypto wallet theft**: iterates WALLET_IDS array (71 browser extension IDs including MetaMask and Phantom) scanning extension `.log` files for `vault`, `mnemonic`, `seed`, `privateKey` patterns.
**Seed phrase / keystore scan**: walks Documents, Desktop, Downloads, OneDrive, Dropbox, keys, wallet, crypto directories matching filenames containing `seed|backup|wallet|phrase|crypto|metamask|phantom|vault|key|private|mnemonic`; extracts EVM private keys (`0x[a-f0-9]{64}`) and BIP-39 seed word sequences.
**Token theft**: reads `~/.npmrc` and `~/.env` for npm `_authToken` / `npm_[a-zA-Z0-9]{36}` patterns and API secrets matching `token|secret|password|api key|database|stripe|paypal|sendgrid|mailgun`.
**Git credentials**: reads `~/.git-credentials` in full.
**Exfiltration**: all data JSON-serialized and sent via `http.request` POST to `http://149.28.127.35:8888` (literal at `loaders/postinstall.js:8`).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | chalk-pack | 2.0.0 (affected) | — |
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.