VDB

GCVE-110-OSM-2026-4296

GCVE-110-OSM-2026-4296
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 19, 2026
Exfiltrates environment files, documents, JSON configs, and crypto trading API credentials from the victim's home directory to attacker-controlled infrastructure at api.vensaru.site via three silent POST requests at require-time. On Linux, injects a hardcoded attacker SSH public key (ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai) into ~/.ssh/authorized_keys for persistent remote access. Also specifically targets CLOB trading API config files (createClobClient.ts, clob.ts, env.ts, config.ts) up to 6 directory levels deep. Typosquats the pino logging framework. **Trigger** (require-time): all malicious code executes immediately on `require('pino-formatter')` from dist/logger.js — no install hook is present. **Stage 1 — System recon** (function k11()): collects os.platform(), first external IPv4 from os.networkInterfaces(), and os.userInfo().username; POSTs as JSON to `https://api.vensaru.site/api/validate/system-info`. **Stage 2 — Mass filesystem exfil** (functions j10() + l12()): recursively walks home directory, collecting ALL .env files (full content), .json files (up to 100 lines, base64-encoded), and .txt/.doc/.docx/.xlsx documents (base64-encoded), batched at 128KB max; POSTs to `https://api.vensaru.site/api/validate/files`. **Stage 3 — Crypto config targeting** (function n77()): reads process.cwd()/.env and searches up to depth 6 for createClobClient.ts, clob.ts, env.ts, config.ts; POSTs content to `https://api.vensaru.site/api/validate/project-env`. **Persistence — SSH backdoor** (function e5(n14), Linux only): injects hardcoded attacker ed25519 public key into ~/.ssh/authorized_keys; creates ~/.ssh (chmod 700) if absent and sets authorized_keys chmod 600.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownpino-formatter1.1.13 (affected)

References

vendor

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›