VDB

GCVE-110-OSM-2026-4758

GCVE-110-OSM-2026-4758
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 26, 2026
Exfiltrates npm registry credentials (from ~/.npmrc and project-level .npmrc files), sensitive environment variables, and comprehensive system recon to an attacker-controlled endpoint via HTTP POST in the postinstall script, then downloads and executes a platform-specific binary payload in a detached persistent process that survives package removal. Part of the bcs-bank campaign (publisher bcs-bank-complex-ui@proton.me) sharing infrastructure with confirmed credential-stealing packages in the same actor cluster. **Trigger** (`postinstall`): executes `node scripts/postinstall.js` at install time. **Collection**: reads `~/.npmrc`, `<cwd>/.npmrc`, `/etc/npmrc`, and `<cwd>/../.npmrc` to harvest npm registry tokens and credentials. Iterates `process.env` for keys matching `npm_token`, `aws_access_key_id`, `aws_secret_access_key`, `aws_session_token`, `github_token`, `node_auth_token`, `artifactory_token`, `nexus_token`, and others. Collects hostname, username, platform, architecture, Node.js version, npm config (registry, user-agent, cache path), CI environment variables, and PATH entries. **Dropper**: fetches a platform-specific payload from `https://oob.moika.tech/payload/<mac|win|linux>`, writes it to `os.tmpdir()/._polka-ui_init.sh` (or `.bat`), marks it executable via `chmodSync`, and spawns it with `detached: true` and `stdio: 'ignore'` — the child process survives parent process exit, establishing persistent execution. **Exfiltration**: assembles harvested data into a JSON report (including a `poc` field set to `dependency-confusion-npm`) and POSTs to `https://oob.moika.tech/report` with campaign token `l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1` in the `X-Secret` header. **Local persistence**: writes the full harvested report to `~/.polka-ui_telemetry.json`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@polka-ui/loader9.9.10 (affected)

References

vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›