VDB

GCVE-110-OSM-2026-4676

GCVE-110-OSM-2026-4676
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 24, 2026
Malicious PyPI package 'git-config-sync' is part of the TrapDoor cross-registry supply chain attack documented by Socket on 2026-05-24. The package executes a shared credential-stealing payload that exfiltrates SSH keys, AWS/GitHub tokens, browser data, and crypto wallets (Solana, Sui, Aptos) to attacker infrastructure at ddjidd564.github.io, and plants persistence via shell hooks, systemd, cron, and AI-assistant config files (.cursorrules, CLAUDE.md). Malicious payload triggered at Python import time. Downloads and executes remote JavaScript payload (trap-core.js) via Node. Pulls C2 config from https://ddjidd564.github.io/defi-security-best-practices/config.json. Exfiltrates SSH keys, AWS creds, GitHub tokens, browser data, and crypto wallets (Solana, Sui, Aptos). Persists via shell/git hooks, systemd, cron. Plants zero-width Unicode prompt injections in .cursorrules and CLAUDE.md. Campaign marker: P-2024-001. Publishers: PyPI users asdmini67, dae5411. Earliest observed: eth-security-auditor v0.1.0 on 2026-05-22 20:20:18 UTC.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowngit-config-syncall (affected)

References

vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›