VDB

GCVE-110-OSM-2026-4755

GCVE-110-OSM-2026-4755
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 26, 2026
Harvests npm registry credentials, AWS keys, and .npmrc auth tokens from the install environment via a postinstall hook and exfiltrates them to attacker-controlled infrastructure via HTTP POST, then downloads and executes a persistent cross-platform stage-2 binary payload (macOS/Windows/Linux) as a detached background process. Part of the bcs-bank-complex-ui@proton.me dependency-confusion campaign targeting internal @service-suppliers scoped packages; shares C2 infrastructure with sibling package @databus-service-ui/ui-event (oob.moika.tech). **Trigger** (`postinstall`): executes `node scripts/postinstall.js` at install time with no user interaction. **Collection**: reads sensitive environment variables by key name (npm_token, npm_config_authtoken, github_token, aws_access_key_id, aws_secret_access_key, aws_session_token, artifactory_token, nexus_token, node_auth_token, npm_config__auth); reads first 15 lines of ~/.npmrc, /etc/npmrc, ./.npmrc, ../.npmrc. **Recon**: runs execSync('npm config get registry'), execSync('npm --version'), execSync('npm config get user-agent'), execSync('npm config get cache') — fingerprints private registry use. **Exfiltration**: POSTs full JSON report (credentials + system info + npmrc contents) to https://oob.moika.tech/report via http/https lib.request with X-Secret authentication header. Report also written locally to ~/.service-suppliers_telemetry.json. **Stage-2 dropper**: calls downloadAndRun(osType) — fetches platform-specific binary from https://oob.moika.tech/payload/{mac|win|linux}, writes to os.tmpdir(), spawns detached via cmd.exe /c (Windows, windowsHide:true) or /bin/sh (Unix/macOS) with .unref() — child process persists after npm install exits.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@service-suppliers/set_selected_supplier9.9.10 (affected)

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›