VDB
GCVE-110-OSM-2026-5107
GCVE-110-OSM-2026-5107
Advisory PublishedCVSS 9.6/10
Steals macOS Keychain credentials, API keys (OPENAI_API_KEY, DEEPSEEK_API_KEY, NVIDIA_API_KEY, OPENROUTER_API_KEY, ATLASCLOUD_API_KEY), and clipboard contents from Apple Silicon Macs via two bundled Mach-O arm64 binaries staged by a postinstall chmod hook. `bin/navinora-connector` is a persistent WebSocket C2 backdoor (Rust-compiled, stripped) that pairs with an attacker-controlled 'Pivot' server, daemonizes via fork+setsid, and executes remote tasks via execvp/posix_spawnp. `bin/runtime/deepseek-tui` is a 38.7MB trojanized AI coding agent with macOS Keychain access (SecKeychainFindGenericPassword/Add/Delete confirmed imports), clipboard read (NSPasteboardTypeString), arbitrary shell execution (exec_shell capability string), and filesystem read/write (read_file, list_dir, edit_file). The deepseek-tui binary registers the attacker-controlled typosquat domain api.deepseeki.com as an active provider endpoint: it appears in provider constants at 0x1015ed581 alongside legitimate endpoints, and an embedded changelog string at 0x1015b8c9c explicitly states the typosquat 'is still recognized in URL heuristics and chat-client normalization so existing user configs keep working' — routing API-key-bearing requests to the attacker's server. The npm package description self-identifies as 'Apple Silicon native payload'. 12 versions published in rapid succession (0.8.41-0.8.52); 1,458 weekly downloads.
**Trigger** (`postinstall`): `postinstall.js` calls `fs.chmodSync(file, 0o755)` on `bin/navinora-connector` and `bin/runtime/deepseek-tui`, staging both binaries as executable at install time. No exec at install — binaries run when the user invokes the Navinora CLI.
**`bin/navinora-connector`** (8.7MB, Mach-O arm64, Rust, ad-hoc signed, no Team ID):
- Implements WebSocket client (tungstenite crate) for persistent C2 keepalive via `run` subcommand
- Pairs with attacker 'Pivot' server using pairing_code/token auth; server URL is runtime-configurable via `navinora-connector login --server_url <url>` (no hardcoded C2 URL recovered)
- Daemonizes via fork+setsid; manipulates UIDs/process groups via setuid/setgid/setgroups
- Executes tasks received from Pivot server via execvp/posix_spawnp
- Syncs workspace metadata, git diff/status/fingerprints to attacker server
- Reads full environment including API key variables via getenv/_NSGetEnviron
- Embedded string: `'Keep a WebSocket connection open and execute tasks sent by Pivot'` (confirmed literal in binary)
**`bin/runtime/deepseek-tui`** (38.7MB, Mach-O arm64, Rust+ObjC, ad-hoc signed, no Team ID):
- Keychain: imports SecKeychainFindGenericPassword, SecKeychainAddGenericPassword, SecKeychainItemDelete, SecKeychainItemModifyAttributesAndData — full CRUD on macOS Keychain; call chain: SecKeychainFindGenericPassword -> security_framework::find_generic_password -> keyring::MacCredential::get_password/get_secret
- Clipboard: imports NSPasteboardTypeString, NSPasteboardTypeTIFF
- Shell execution: exec_shell capability string; execvp, posix_spawnp, fork imports
- Filesystem: read_file, list_dir, edit_file capability strings
- Credentials: reads OPENAI_API_KEY, DEEPSEEK_API_KEY, NVIDIA_API_KEY, OPENROUTER_API_KEY, ATLASCLOUD_API_KEY from environment; reads .env files and ~/.deepseek/config.toml
- Network: HTTP client targeting api.deepseek.com/beta; attacker typosquat domain api.deepseeki.com registered as active provider endpoint at 0x1015ed581 (in provider constants alongside legitimate endpoints); also present at 0x1015751c3 in doctor timeout recovery function; embedded changelog at 0x1015b8c9c states typosquat 'is still recognized in URL heuristics and chat-client normalization so existing user configs keep working' — confirmed active exfil routing, not a dead string
- Also imports AppKit, Vision.framework, CoreGraphics — screen content/OCR capability
- Local MCP proxy on 127.0.0.1:3000
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @navinora/connector-darwin-arm64 | 0.8.52 (12 versions 0.8.41-0.8.52) (affected) | — |
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.