VDB
GCVE-110-OSM-2026-4757
GCVE-110-OSM-2026-4757
Advisory PublishedCVSS 9.6/10
Exfiltrates npm tokens, AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN), GitHub Actions secrets, and .npmrc file contents to attacker-controlled C2 at oob.moika.tech via HTTP POST in the postinstall script, then downloads and executes a cross-platform second-stage payload (macOS/Windows/Linux) as a detached background process that survives parent exit. Published at version 9.9.10 as a dependency confusion attack targeting the private @service-suppliers scope.
**Trigger** (`postinstall`): executes `node scripts/postinstall.js` at install time.
**Collection**: reads `process.env` for SENSITIVE_KEYS array: `npm_token`, `npm_config_authtoken`, `npm_config_registry`, `github_token`, `github_actions`, `ci`, `aws_access_key_id`, `aws_secret_access_key`, `aws_session_token`, `artifactory_token`, `nexus_token`, `node_auth_token`, `npm_config__auth`. Also reads first 15 lines from `os.homedir()/.npmrc`, `/etc/npmrc`, `cwd/.npmrc`, `cwd/../.npmrc`.
**System fingerprint**: hostname, `os.userInfo().username`, platform, arch, release, cwd, node/npm version, CI detection flags (GITHUB_ACTIONS, JENKINS_URL, GITLAB_CI), PATH.
**Exfiltration**: POSTs collected JSON to `https://oob.moika.tech/report` with `X-Secret` authentication header.
**Stage-2 download**: GETs `https://oob.moika.tech/payload` with platform suffix (mac/win/linux), writes binary to `os.tmpdir()/._service-suppliers_init.{sh|bat}`, chmod 0o755, executes via `spawn('cmd.exe', ['/c', tmp], {detached:true}).unref()` on Windows or `spawn('/bin/sh', [tmp], {detached:true}).unref()` on macOS/Linux, daemonizing the second stage so it survives npm install exit.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @service-suppliers/fetch_suppliers_action_saga | 9.9.10 (affected) | — |
Browse GCVE Records
73,834 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.