VDB
GCVE-110-OSM-2026-4296
GCVE-110-OSM-2026-4296
Advisory PublishedCVSS 9.6/10
Exfiltrates environment files, documents, JSON configs, and crypto trading API credentials from the victim's home directory to attacker-controlled infrastructure at api.vensaru.site via three silent POST requests at require-time. On Linux, injects a hardcoded attacker SSH public key (ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai) into ~/.ssh/authorized_keys for persistent remote access. Also specifically targets CLOB trading API config files (createClobClient.ts, clob.ts, env.ts, config.ts) up to 6 directory levels deep. Typosquats the pino logging framework.
**Trigger** (require-time): all malicious code executes immediately on `require('pino-formatter')` from dist/logger.js — no install hook is present.
**Stage 1 — System recon** (function k11()): collects os.platform(), first external IPv4 from os.networkInterfaces(), and os.userInfo().username; POSTs as JSON to `https://api.vensaru.site/api/validate/system-info`.
**Stage 2 — Mass filesystem exfil** (functions j10() + l12()): recursively walks home directory, collecting ALL .env files (full content), .json files (up to 100 lines, base64-encoded), and .txt/.doc/.docx/.xlsx documents (base64-encoded), batched at 128KB max; POSTs to `https://api.vensaru.site/api/validate/files`.
**Stage 3 — Crypto config targeting** (function n77()): reads process.cwd()/.env and searches up to depth 6 for createClobClient.ts, clob.ts, env.ts, config.ts; POSTs content to `https://api.vensaru.site/api/validate/project-env`.
**Persistence — SSH backdoor** (function e5(n14), Linux only): injects hardcoded attacker ed25519 public key into ~/.ssh/authorized_keys; creates ~/.ssh (chmod 700) if absent and sets authorized_keys chmod 600.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | pino-formatter | 1.1.13 (affected) | — |
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.