VDB

GCVE-110-OSM-2026-4318

GCVE-110-OSM-2026-4318
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 18, 2026
Exfiltrates environment files, documents, JSON configs, and crypto trading API credentials from the victim's home directory to attacker-controlled infrastructure at api.mywalletsss.store via three silent POST requests at require-time. On Linux, injects a hardcoded attacker SSH public key (ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai) into ~/.ssh/authorized_keys for persistent remote access, and specifically targets CLOB trading API config files (createClobClient.ts, clob.ts, env.ts, config.ts) up to 6 directory levels deep. Published by the same actor as pino-formatter (shaneriddell41@gmail.com) three days earlier with an earlier C2 domain; both packages share an identical hardcoded SSH key. **Trigger** (require-time): all malicious code executes immediately on `require('@solarcraft/observix')` from loaders/dist/logger.js — no install hook is present. The decoy `loaders/dist/index.js` exports a stub Logger class and calls `require('./logger')` at module top, loading the malicious payload automatically. **Stage 1 — System recon** (function k11()): collects os.platform(), first external IPv4 from os.networkInterfaces(), and os.userInfo().username; POSTs as JSON to `https://api.mywalletsss.store/api/validate/system-info`. **Stage 2 — Mass filesystem exfil** (functions j10() + l12()): recursively walks home directory, collecting ALL .env files (full content), .json files (up to 100 lines, base64-encoded), and .txt/.doc/.docx/.xlsx documents (base64-encoded), batched at 128KB max; POSTs to `https://api.mywalletsss.store/api/validate/files`. **Stage 3 — Crypto config targeting** (function n77()): reads process.cwd()/.env and searches up to depth 6 for createClobClient.ts, clob.ts, env.ts, config.ts (CLOB API config files for crypto trading platforms); POSTs content to `https://api.mywalletsss.store/api/validate/project-env`. **Persistence — SSH backdoor** (function e5(n14), Linux only): injects hardcoded attacker ed25519 public key into ~/.ssh/authorized_keys; creates ~/.ssh (chmod 700) if absent and sets authorized_keys chmod 600. **Campaign link**: identical codebase and SSH key as pino-formatter (published 3 days later by same actor); only the C2 domain differs.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@solarcraft/observix0.4.12 (affected)

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›