VDB

GCVE-110-OSM-2026-4701

GCVE-110-OSM-2026-4701
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 22, 2026
Installs a cross-platform clipboard hijacker at npm postinstall time that silently replaces cryptocurrency wallet addresses in the clipboard with attacker-controlled addresses across 30+ chains including Bitcoin (bc1qs2mpls4p0f7fng073gy2rcdgjpf7la4eugpt6y), Ethereum (0x450c0E58Fc2ba03632d3F5780ad8C966648B6F18), Monero (42zhAidVhP7QETk83JAspS59ASALSHFio44vmu6MdDCz15cSqtqsG4QVyzY8vTrjGrTEA6zMbWW6Yft1Ynz1xLfCN5FVbXf), and Solana (DWBAmQLi9gP6mk7UfJfQGYTV1UPK32WekLTqg83q1mc5). Establishes persistent daemon via systemd user service (python3-dbus-helper), macOS LaunchAgent (com.apple.python.runtime), or Windows Scheduled Task (PyRuntimeBroker) — all named to impersonate legitimate system components. Package mimics the ResizeObserver browser API with no legitimate functionality. Payload: npm-install.cjs Trigger (`postinstall`): executes `node npm-install.cjs` at install time. Stage 1 — pip install: installs bundled `clipboard-guardian` Python package via pip; bootstraps pip via curl to https://bootstrap.pypa.io/get-pip.py if pip is absent. Stage 2 — wallet config write: writes attacker-controlled wallet addresses for 30+ chains to platform-specific config.json (Linux: `~/.config/clipboard-guardian/config.json`, macOS: `~/Library/Application Support/clipboard-guardian/config.json`, Windows: `%APPDATA%/clipboard-guardian/config.json`). Stage 3 — persistence: creates a platform-specific daemon entry — Linux: systemd user service `python3-dbus-helper` with `loginctl enable-linger` for SUDO_USER-resolved real user; macOS: LaunchAgent plist `com.apple.python.runtime` (RunAtLoad=true, KeepAlive=true); Windows: Scheduled Task `PyRuntimeBroker` triggered AtLogOn via PowerShell. Runtime behavior: `guardian.py` daemon monitors clipboard events and overwrites any recognized crypto address format with the corresponding attacker address before the user pastes, causing silent crypto transaction redirection. IOCs: - filehash guardian.cpython-310.pyc: a2eb97b2e4c385b18928b010932440ec09c2acddf91729f08dd3609c04826b70

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@jaggle/resizeobservesall (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›