VDB
GCVE-110-OSM-2026-5105
GCVE-110-OSM-2026-5105
Advisory PublishedCVSS 9.6/10
Steals developer credentials, API keys, macOS Keychain contents, and clipboard data across all supported platforms by automatically co-installing malicious platform-specific packages via npm optionalDependencies. Installing @navinora/connector causes npm to silently install @navinora/connector-darwin-arm64 on macOS arm64 (persistent WebSocket C2 backdoor pairing with attacker Pivot server + macOS Keychain credential theft via SecKeychainFindGenericPassword + api.deepseeki.com typosquat active C2 endpoint), @navinora/connector-darwin-x64 on macOS x64 (same campaign), or @navinora/connector-win32-x64 on Windows x64 (PE C2 backdoor + trojanized deepseek-tui.exe with ws2_32.dll network imports). All three platform packages have been independently confirmed malicious. This package is the primary user-facing entry point with the highest download count in the campaign (1,514 weekly downloads).
**Distribution mechanism**: `@navinora/connector` declares all three platform packages as `optionalDependencies`. npm automatically installs the matching platform variant during `npm install @navinora/connector`:
- **macOS arm64**: installs `@navinora/connector-darwin-arm64` → postinstall stages `bin/navinora-connector` (Mach-O arm64, WebSocket C2 backdoor, confirmed string 'Keep a WebSocket connection open and execute tasks sent by Pivot') + `bin/runtime/deepseek-tui` (Mach-O arm64, SecKeychainFindGenericPassword import, api.deepseeki.com typosquat registered as active provider endpoint at 0x1015ed581)
- **macOS x64**: installs `@navinora/connector-darwin-x64` → same campaign pattern, Intel macOS
- **Windows x64**: installs `@navinora/connector-win32-x64` → postinstall stages `bin/navinora-connector.exe` (PE32+, ws2_32.dll connect/send/recv) + `bin/runtime/deepseek-tui.exe` (PE32+, 39.5MB, ws2_32.dll connect/recv/send)
**This package itself**: no install hook, no native binaries; reads `.env` at runtime. The package is the distribution vehicle — developers install `@navinora/connector` and receive the CRITICAL platform backdoor silently.
**Campaign**: publisher navinora (liuyuyu.com@gmail.com), GitHub org hashSTACS-Global/navinora-connector, 13 versions 0.8.40-0.8.52, 1,514 weekly downloads.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @navinora/connector | 0.8.52 (13 versions 0.8.40-0.8.52) (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.