VDB
GCVE-110-OSM-2026-5759
GCVE-110-OSM-2026-5759
Advisory PublishedCVSS 5.4/10
This package is a deliberate Chrome-cookie-harvesting CLI that reads local browser profiles and makes authenticated requests to financial and AI services (Chase bank via `dist/src/sites/chase.com/download-helper.js`, Claude, Cursor, Perplexity, PSEG energy portal). The 'browser-data-theft' and 'env-exfiltration' findings are not false positives — the cookie capability is the stated mechanism — but there is no visible exfiltration to attacker-controlled endpoints; output flows to stdout or a user-specified file. The 'startup-persistence' hits on `.PROFILE` and `.profile` appear to be false positives from Chrome profile path strings rather than shell rc writes. The `chalk` malicious-dependency flag is almost certainly a database false positive given chalk's widespread legitimate use. The package's risk is more about intended use ambiguity: a tool that silently reads Chrome cookies and queries Chase/banking APIs is dangerous if executed in unintended contexts (e.g. as a transitive dep or via social engineering), even if the author's intent is personal productivity. The absence of a linked source repository and the rapid version cadence (9 versions in 4 days) add minor concern.
ENTRY
dist/bin/cli.js (bin: ./dist/bin/cli.js)
LOOT
- Browser Data Theft in dist/src/capabilities/cookies.js: "Chrome/148.0.0.0 Safari/537.36";function o(e,r){return e.profilePath||r.PROFILE_..."
PERSISTENCE
- Startup Persistence in dist/bin/cli.js: ".PROFILE"
- Startup Persistence in dist/src/capabilities/cookies.js: ".profile"
DESTINATION
- domains: secure.chase.com (c2, plaintext)
- domains: chase.com (c2, plaintext)
EXFIL
- Environment Variable Exfiltration in dist/src/core/context.js: "process.env,g=!!d.debug,m="required"===p.cookies;let w;const b=()=>(void 0===w&&..."
- Environment Variable Exfiltration in dist/src/core/registry.js: "process.env,s=n.fetchImpl??v(),a=n.ttlMs??36e5,u=function(e,t){const r=e.replace..."
ADDITIONAL FINDINGS
- Platform Detection with Data Collection in dist/src/core/registry.js: "JSON.stringify({fetchedAt:Date.now(),index:d}),"utf8")}catch{}return d}export as..."
- Dynamic Code Execution in dist/src/sites/google.com/google-helpers.js: "exec(t)"
- Malicious Dependency Detected in package.json
PAYLOAD FILES
dist/src/core/registry.js (+ dist/src/core/context.js, dist/src/capabilities/cookies.js)
INDICATORS (IOCs)
- ipv4: 148.0.0.0
- urls: https://claude.ai/api/organizations, https://cursor.com/api/usage-summary, https://ollama.com/settings, https://www.perplexity.ai/rest/sse/perplexity_ask, https://www.perplexity.ai (+4 more)
- domains: pseg.com, Cursor.com, cursor.com, ollama.com, mysmartenergy.nj.pseg.com (+3 more)
- payloadFileHash: 934fb849dca44540bbdc89e3abd052258dd05d6dc600a8202f3125877d91789b
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | website-api | all (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.