VDB
GCVE-110-OSM-2026-4701
GCVE-110-OSM-2026-4701
Advisory PublishedCVSS 9.6/10
Installs a cross-platform clipboard hijacker at npm postinstall time that silently replaces cryptocurrency wallet addresses in the clipboard with attacker-controlled addresses across 30+ chains including Bitcoin (bc1qs2mpls4p0f7fng073gy2rcdgjpf7la4eugpt6y), Ethereum (0x450c0E58Fc2ba03632d3F5780ad8C966648B6F18), Monero (42zhAidVhP7QETk83JAspS59ASALSHFio44vmu6MdDCz15cSqtqsG4QVyzY8vTrjGrTEA6zMbWW6Yft1Ynz1xLfCN5FVbXf), and Solana (DWBAmQLi9gP6mk7UfJfQGYTV1UPK32WekLTqg83q1mc5). Establishes persistent daemon via systemd user service (python3-dbus-helper), macOS LaunchAgent (com.apple.python.runtime), or Windows Scheduled Task (PyRuntimeBroker) — all named to impersonate legitimate system components. Package mimics the ResizeObserver browser API with no legitimate functionality.
Payload: npm-install.cjs
Trigger (`postinstall`): executes `node npm-install.cjs` at install time.
Stage 1 — pip install: installs bundled `clipboard-guardian` Python package via pip; bootstraps pip via curl to https://bootstrap.pypa.io/get-pip.py if pip is absent.
Stage 2 — wallet config write: writes attacker-controlled wallet addresses for 30+ chains to platform-specific config.json (Linux: `~/.config/clipboard-guardian/config.json`, macOS: `~/Library/Application Support/clipboard-guardian/config.json`, Windows: `%APPDATA%/clipboard-guardian/config.json`).
Stage 3 — persistence: creates a platform-specific daemon entry — Linux: systemd user service `python3-dbus-helper` with `loginctl enable-linger` for SUDO_USER-resolved real user; macOS: LaunchAgent plist `com.apple.python.runtime` (RunAtLoad=true, KeepAlive=true); Windows: Scheduled Task `PyRuntimeBroker` triggered AtLogOn via PowerShell.
Runtime behavior: `guardian.py` daemon monitors clipboard events and overwrites any recognized crypto address format with the corresponding attacker address before the user pastes, causing silent crypto transaction redirection.
IOCs:
- filehash guardian.cpython-310.pyc: a2eb97b2e4c385b18928b010932440ec09c2acddf91729f08dd3609c04826b70
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @jaggle/resizeobserves | all (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.