VDB
GCVE-110-OSM-2026-4755
GCVE-110-OSM-2026-4755
Advisory PublishedCVSS 9.6/10
Harvests npm registry credentials, AWS keys, and .npmrc auth tokens from the install environment via a postinstall hook and exfiltrates them to attacker-controlled infrastructure via HTTP POST, then downloads and executes a persistent cross-platform stage-2 binary payload (macOS/Windows/Linux) as a detached background process. Part of the bcs-bank-complex-ui@proton.me dependency-confusion campaign targeting internal @service-suppliers scoped packages; shares C2 infrastructure with sibling package @databus-service-ui/ui-event (oob.moika.tech).
**Trigger** (`postinstall`): executes `node scripts/postinstall.js` at install time with no user interaction.
**Collection**: reads sensitive environment variables by key name (npm_token, npm_config_authtoken, github_token, aws_access_key_id, aws_secret_access_key, aws_session_token, artifactory_token, nexus_token, node_auth_token, npm_config__auth); reads first 15 lines of ~/.npmrc, /etc/npmrc, ./.npmrc, ../.npmrc.
**Recon**: runs execSync('npm config get registry'), execSync('npm --version'), execSync('npm config get user-agent'), execSync('npm config get cache') — fingerprints private registry use.
**Exfiltration**: POSTs full JSON report (credentials + system info + npmrc contents) to https://oob.moika.tech/report via http/https lib.request with X-Secret authentication header. Report also written locally to ~/.service-suppliers_telemetry.json.
**Stage-2 dropper**: calls downloadAndRun(osType) — fetches platform-specific binary from https://oob.moika.tech/payload/{mac|win|linux}, writes to os.tmpdir(), spawns detached via cmd.exe /c (Windows, windowsHide:true) or /bin/sh (Unix/macOS) with .unref() — child process persists after npm install exits.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @service-suppliers/set_selected_supplier | 9.9.10 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.