VDB
GCVE-110-OSM-2026-4758
GCVE-110-OSM-2026-4758
Advisory PublishedCVSS 9.6/10
Exfiltrates npm registry credentials (from ~/.npmrc and project-level .npmrc files), sensitive environment variables, and comprehensive system recon to an attacker-controlled endpoint via HTTP POST in the postinstall script, then downloads and executes a platform-specific binary payload in a detached persistent process that survives package removal. Part of the bcs-bank campaign (publisher bcs-bank-complex-ui@proton.me) sharing infrastructure with confirmed credential-stealing packages in the same actor cluster.
**Trigger** (`postinstall`): executes `node scripts/postinstall.js` at install time.
**Collection**: reads `~/.npmrc`, `<cwd>/.npmrc`, `/etc/npmrc`, and `<cwd>/../.npmrc` to harvest npm registry tokens and credentials. Iterates `process.env` for keys matching `npm_token`, `aws_access_key_id`, `aws_secret_access_key`, `aws_session_token`, `github_token`, `node_auth_token`, `artifactory_token`, `nexus_token`, and others. Collects hostname, username, platform, architecture, Node.js version, npm config (registry, user-agent, cache path), CI environment variables, and PATH entries.
**Dropper**: fetches a platform-specific payload from `https://oob.moika.tech/payload/<mac|win|linux>`, writes it to `os.tmpdir()/._polka-ui_init.sh` (or `.bat`), marks it executable via `chmodSync`, and spawns it with `detached: true` and `stdio: 'ignore'` — the child process survives parent process exit, establishing persistent execution.
**Exfiltration**: assembles harvested data into a JSON report (including a `poc` field set to `dependency-confusion-npm`) and POSTs to `https://oob.moika.tech/report` with campaign token `l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1` in the `X-Secret` header.
**Local persistence**: writes the full harvested report to `~/.polka-ui_telemetry.json`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @polka-ui/loader | 9.9.10 (affected) | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.