VDB
GCVE-110-OSM-2026-5133
GCVE-110-OSM-2026-5133
Advisory PublishedCVSS 8.8/10
Exfiltrates full environment variables and system fingerprint to an attacker-controlled Discord webhook via HTTP POST in the preinstall script. The package collects process.env (including any npm tokens, AWS credentials, and other secrets present in the environment), hostname, local IP, public IP, OS details, and working directory, then sends all of it as a structured Discord embed to a hardcoded webhook URL at discord.com/api/webhooks/1510273553176592507/... at install time without user interaction.
**Trigger** (`preinstall`): executes `node index.js || true` at install time, unconditionally.
**Collection**: reads full `process.env` and captures `os.hostname()`, local IP via `os.networkInterfaces()`, public IP via `fetch('https://api.ipify.org?format=json')`, `os.type()`, `os.release()`, `os.arch()`, `process.cwd()`, and current timestamp.
**Exfiltration**: assembles all collected data into a Discord embed JSON payload and POSTs it to the hardcoded webhook URL `https://discord.com/api/webhooks/1510273553176592507/sKKeGWq97Ny7N8aYBn7JaY3PeqC1qwJvTdY6ftxeIcS12GoFPx9-J7yc8iDefb2dVh-3` via `https.request` with the webhook URL stored as a literal constant (`WEBHOOK_PATH`) in `loaders/index.js`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @chat-template/auth | 1.0.0 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.