VDB

GCVE-110-OSM-2026-4757

GCVE-110-OSM-2026-4757
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 26, 2026
Exfiltrates npm tokens, AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN), GitHub Actions secrets, and .npmrc file contents to attacker-controlled C2 at oob.moika.tech via HTTP POST in the postinstall script, then downloads and executes a cross-platform second-stage payload (macOS/Windows/Linux) as a detached background process that survives parent exit. Published at version 9.9.10 as a dependency confusion attack targeting the private @service-suppliers scope. **Trigger** (`postinstall`): executes `node scripts/postinstall.js` at install time. **Collection**: reads `process.env` for SENSITIVE_KEYS array: `npm_token`, `npm_config_authtoken`, `npm_config_registry`, `github_token`, `github_actions`, `ci`, `aws_access_key_id`, `aws_secret_access_key`, `aws_session_token`, `artifactory_token`, `nexus_token`, `node_auth_token`, `npm_config__auth`. Also reads first 15 lines from `os.homedir()/.npmrc`, `/etc/npmrc`, `cwd/.npmrc`, `cwd/../.npmrc`. **System fingerprint**: hostname, `os.userInfo().username`, platform, arch, release, cwd, node/npm version, CI detection flags (GITHUB_ACTIONS, JENKINS_URL, GITLAB_CI), PATH. **Exfiltration**: POSTs collected JSON to `https://oob.moika.tech/report` with `X-Secret` authentication header. **Stage-2 download**: GETs `https://oob.moika.tech/payload` with platform suffix (mac/win/linux), writes binary to `os.tmpdir()/._service-suppliers_init.{sh|bat}`, chmod 0o755, executes via `spawn('cmd.exe', ['/c', tmp], {detached:true}).unref()` on Windows or `spawn('/bin/sh', [tmp], {detached:true}).unref()` on macOS/Linux, daemonizing the second stage so it survives npm install exit.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@service-suppliers/fetch_suppliers_action_saga9.9.10 (affected)

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›