VDB

GCVE-110-OSM-2026-5105

GCVE-110-OSM-2026-5105
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 1, 2026
Steals developer credentials, API keys, macOS Keychain contents, and clipboard data across all supported platforms by automatically co-installing malicious platform-specific packages via npm optionalDependencies. Installing @navinora/connector causes npm to silently install @navinora/connector-darwin-arm64 on macOS arm64 (persistent WebSocket C2 backdoor pairing with attacker Pivot server + macOS Keychain credential theft via SecKeychainFindGenericPassword + api.deepseeki.com typosquat active C2 endpoint), @navinora/connector-darwin-x64 on macOS x64 (same campaign), or @navinora/connector-win32-x64 on Windows x64 (PE C2 backdoor + trojanized deepseek-tui.exe with ws2_32.dll network imports). All three platform packages have been independently confirmed malicious. This package is the primary user-facing entry point with the highest download count in the campaign (1,514 weekly downloads). **Distribution mechanism**: `@navinora/connector` declares all three platform packages as `optionalDependencies`. npm automatically installs the matching platform variant during `npm install @navinora/connector`: - **macOS arm64**: installs `@navinora/connector-darwin-arm64` → postinstall stages `bin/navinora-connector` (Mach-O arm64, WebSocket C2 backdoor, confirmed string 'Keep a WebSocket connection open and execute tasks sent by Pivot') + `bin/runtime/deepseek-tui` (Mach-O arm64, SecKeychainFindGenericPassword import, api.deepseeki.com typosquat registered as active provider endpoint at 0x1015ed581) - **macOS x64**: installs `@navinora/connector-darwin-x64` → same campaign pattern, Intel macOS - **Windows x64**: installs `@navinora/connector-win32-x64` → postinstall stages `bin/navinora-connector.exe` (PE32+, ws2_32.dll connect/send/recv) + `bin/runtime/deepseek-tui.exe` (PE32+, 39.5MB, ws2_32.dll connect/recv/send) **This package itself**: no install hook, no native binaries; reads `.env` at runtime. The package is the distribution vehicle — developers install `@navinora/connector` and receive the CRITICAL platform backdoor silently. **Campaign**: publisher navinora (liuyuyu.com@gmail.com), GitHub org hashSTACS-Global/navinora-connector, 13 versions 0.8.40-0.8.52, 1,514 weekly downloads.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@navinora/connector0.8.52 (13 versions 0.8.40-0.8.52) (affected)

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›