VDB

GCVE-110-OSM-2026-5133

GCVE-110-OSM-2026-5133
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 1, 2026
Exfiltrates full environment variables and system fingerprint to an attacker-controlled Discord webhook via HTTP POST in the preinstall script. The package collects process.env (including any npm tokens, AWS credentials, and other secrets present in the environment), hostname, local IP, public IP, OS details, and working directory, then sends all of it as a structured Discord embed to a hardcoded webhook URL at discord.com/api/webhooks/1510273553176592507/... at install time without user interaction. **Trigger** (`preinstall`): executes `node index.js || true` at install time, unconditionally. **Collection**: reads full `process.env` and captures `os.hostname()`, local IP via `os.networkInterfaces()`, public IP via `fetch('https://api.ipify.org?format=json')`, `os.type()`, `os.release()`, `os.arch()`, `process.cwd()`, and current timestamp. **Exfiltration**: assembles all collected data into a Discord embed JSON payload and POSTs it to the hardcoded webhook URL `https://discord.com/api/webhooks/1510273553176592507/sKKeGWq97Ny7N8aYBn7JaY3PeqC1qwJvTdY6ftxeIcS12GoFPx9-J7yc8iDefb2dVh-3` via `https.request` with the webhook URL stored as a literal constant (`WEBHOOK_PATH`) in `loaders/index.js`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@chat-template/auth1.0.0 (affected)

References

vendor

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›