VDB
GCVE-110-OSM-2026-5127
GCVE-110-OSM-2026-5127
Advisory PublishedCVSS 8.8/10
Exfiltrates CI/CD credentials, private npm registry URL, and environment variable values matching Telenor SE / TSE Digital brand keywords via HTTP POST to attacker-controlled IP 128.199.50.160:8888/depconf in a preinstall hook. Also harvests hostname, username, working directory, all env key names, and network interface IPs. Version 99.0.0 is a deliberate high-version escalation to override private registry pins in TSE Digital internal build environments.
**Trigger** (`preinstall`): executes `node callback.js || true` at npm install time.
**Collection**: `loaders/callback.js` collects `os.hostname()`, `os.userInfo().username`, `process.cwd()`, `os.platform()`, `os.arch()`, `os.homedir()`, all non-loopback network interface IPs, Node.js version, `process.uid`, `process.ppid`, all environment variable key names, and values of vars whose names match the regex `telenor|maui|c360|customer|threesixty|ownit|vimla|jenkins|azure|gitlab|github|npm_|registry|token|build|deploy|ci_|pipeline`.
**Registry fingerprint**: `process.env.npm_config_registry` (private registry URL) and `process.env.npm_package_name` are included.
**CI detection**: `process.env.CI`, `JENKINS_URL`, `GITHUB_ACTIONS`, `GITLAB_CI`, `BUILD_URL` included.
**Exfiltration**: `http.request()` HTTP POST to `http://128.199.50.160:8888/depconf` with JSON-serialized payload. C2 host and port defined as literal constants `CB_HOST='128.199.50.160'`, `CB_PORT=8888` in source.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @tse-digital/core | 99.0.0 (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.