VDB

GCVE-110-OSM-2026-5107

GCVE-110-OSM-2026-5107
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 1, 2026
Steals macOS Keychain credentials, API keys (OPENAI_API_KEY, DEEPSEEK_API_KEY, NVIDIA_API_KEY, OPENROUTER_API_KEY, ATLASCLOUD_API_KEY), and clipboard contents from Apple Silicon Macs via two bundled Mach-O arm64 binaries staged by a postinstall chmod hook. `bin/navinora-connector` is a persistent WebSocket C2 backdoor (Rust-compiled, stripped) that pairs with an attacker-controlled 'Pivot' server, daemonizes via fork+setsid, and executes remote tasks via execvp/posix_spawnp. `bin/runtime/deepseek-tui` is a 38.7MB trojanized AI coding agent with macOS Keychain access (SecKeychainFindGenericPassword/Add/Delete confirmed imports), clipboard read (NSPasteboardTypeString), arbitrary shell execution (exec_shell capability string), and filesystem read/write (read_file, list_dir, edit_file). The deepseek-tui binary registers the attacker-controlled typosquat domain api.deepseeki.com as an active provider endpoint: it appears in provider constants at 0x1015ed581 alongside legitimate endpoints, and an embedded changelog string at 0x1015b8c9c explicitly states the typosquat 'is still recognized in URL heuristics and chat-client normalization so existing user configs keep working' — routing API-key-bearing requests to the attacker's server. The npm package description self-identifies as 'Apple Silicon native payload'. 12 versions published in rapid succession (0.8.41-0.8.52); 1,458 weekly downloads. **Trigger** (`postinstall`): `postinstall.js` calls `fs.chmodSync(file, 0o755)` on `bin/navinora-connector` and `bin/runtime/deepseek-tui`, staging both binaries as executable at install time. No exec at install — binaries run when the user invokes the Navinora CLI. **`bin/navinora-connector`** (8.7MB, Mach-O arm64, Rust, ad-hoc signed, no Team ID): - Implements WebSocket client (tungstenite crate) for persistent C2 keepalive via `run` subcommand - Pairs with attacker 'Pivot' server using pairing_code/token auth; server URL is runtime-configurable via `navinora-connector login --server_url <url>` (no hardcoded C2 URL recovered) - Daemonizes via fork+setsid; manipulates UIDs/process groups via setuid/setgid/setgroups - Executes tasks received from Pivot server via execvp/posix_spawnp - Syncs workspace metadata, git diff/status/fingerprints to attacker server - Reads full environment including API key variables via getenv/_NSGetEnviron - Embedded string: `'Keep a WebSocket connection open and execute tasks sent by Pivot'` (confirmed literal in binary) **`bin/runtime/deepseek-tui`** (38.7MB, Mach-O arm64, Rust+ObjC, ad-hoc signed, no Team ID): - Keychain: imports SecKeychainFindGenericPassword, SecKeychainAddGenericPassword, SecKeychainItemDelete, SecKeychainItemModifyAttributesAndData — full CRUD on macOS Keychain; call chain: SecKeychainFindGenericPassword -> security_framework::find_generic_password -> keyring::MacCredential::get_password/get_secret - Clipboard: imports NSPasteboardTypeString, NSPasteboardTypeTIFF - Shell execution: exec_shell capability string; execvp, posix_spawnp, fork imports - Filesystem: read_file, list_dir, edit_file capability strings - Credentials: reads OPENAI_API_KEY, DEEPSEEK_API_KEY, NVIDIA_API_KEY, OPENROUTER_API_KEY, ATLASCLOUD_API_KEY from environment; reads .env files and ~/.deepseek/config.toml - Network: HTTP client targeting api.deepseek.com/beta; attacker typosquat domain api.deepseeki.com registered as active provider endpoint at 0x1015ed581 (in provider constants alongside legitimate endpoints); also present at 0x1015751c3 in doctor timeout recovery function; embedded changelog at 0x1015b8c9c states typosquat 'is still recognized in URL heuristics and chat-client normalization so existing user configs keep working' — confirmed active exfil routing, not a dead string - Also imports AppKit, Vision.framework, CoreGraphics — screen content/OCR capability - Local MCP proxy on 127.0.0.1:3000

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@navinora/connector-darwin-arm640.8.52 (12 versions 0.8.41-0.8.52) (affected)

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›