VDB
GCVE-110-OSM-2026-4676
GCVE-110-OSM-2026-4676
Advisory PublishedCVSS 9.6/10
Malicious PyPI package 'git-config-sync' is part of the TrapDoor cross-registry supply chain attack documented by Socket on 2026-05-24. The package executes a shared credential-stealing payload that exfiltrates SSH keys, AWS/GitHub tokens, browser data, and crypto wallets (Solana, Sui, Aptos) to attacker infrastructure at ddjidd564.github.io, and plants persistence via shell hooks, systemd, cron, and AI-assistant config files (.cursorrules, CLAUDE.md).
Malicious payload triggered at Python import time. Downloads and executes remote JavaScript payload (trap-core.js) via Node. Pulls C2 config from https://ddjidd564.github.io/defi-security-best-practices/config.json. Exfiltrates SSH keys, AWS creds, GitHub tokens, browser data, and crypto wallets (Solana, Sui, Aptos). Persists via shell/git hooks, systemd, cron. Plants zero-width Unicode prompt injections in .cursorrules and CLAUDE.md. Campaign marker: P-2024-001. Publishers: PyPI users asdmini67, dae5411. Earliest observed: eth-security-auditor v0.1.0 on 2026-05-22 20:20:18 UTC.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | git-config-sync | all (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.