VDB

GCVE-110-OSM-2026-5759

GCVE-110-OSM-2026-5759
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published June 11, 2026
This package is a deliberate Chrome-cookie-harvesting CLI that reads local browser profiles and makes authenticated requests to financial and AI services (Chase bank via `dist/src/sites/chase.com/download-helper.js`, Claude, Cursor, Perplexity, PSEG energy portal). The 'browser-data-theft' and 'env-exfiltration' findings are not false positives — the cookie capability is the stated mechanism — but there is no visible exfiltration to attacker-controlled endpoints; output flows to stdout or a user-specified file. The 'startup-persistence' hits on `.PROFILE` and `.profile` appear to be false positives from Chrome profile path strings rather than shell rc writes. The `chalk` malicious-dependency flag is almost certainly a database false positive given chalk's widespread legitimate use. The package's risk is more about intended use ambiguity: a tool that silently reads Chrome cookies and queries Chase/banking APIs is dangerous if executed in unintended contexts (e.g. as a transitive dep or via social engineering), even if the author's intent is personal productivity. The absence of a linked source repository and the rapid version cadence (9 versions in 4 days) add minor concern. ENTRY dist/bin/cli.js (bin: ./dist/bin/cli.js) LOOT - Browser Data Theft in dist/src/capabilities/cookies.js: "Chrome/148.0.0.0 Safari/537.36";function o(e,r){return e.profilePath||r.PROFILE_..." PERSISTENCE - Startup Persistence in dist/bin/cli.js: ".PROFILE" - Startup Persistence in dist/src/capabilities/cookies.js: ".profile" DESTINATION - domains: secure.chase.com (c2, plaintext) - domains: chase.com (c2, plaintext) EXFIL - Environment Variable Exfiltration in dist/src/core/context.js: "process.env,g=!!d.debug,m="required"===p.cookies;let w;const b=()=>(void 0===w&&..." - Environment Variable Exfiltration in dist/src/core/registry.js: "process.env,s=n.fetchImpl??v(),a=n.ttlMs??36e5,u=function(e,t){const r=e.replace..." ADDITIONAL FINDINGS - Platform Detection with Data Collection in dist/src/core/registry.js: "JSON.stringify({fetchedAt:Date.now(),index:d}),"utf8")}catch{}return d}export as..." - Dynamic Code Execution in dist/src/sites/google.com/google-helpers.js: "exec(t)" - Malicious Dependency Detected in package.json PAYLOAD FILES dist/src/core/registry.js (+ dist/src/core/context.js, dist/src/capabilities/cookies.js) INDICATORS (IOCs) - ipv4: 148.0.0.0 - urls: https://claude.ai/api/organizations, https://cursor.com/api/usage-summary, https://ollama.com/settings, https://www.perplexity.ai/rest/sse/perplexity_ask, https://www.perplexity.ai (+4 more) - domains: pseg.com, Cursor.com, cursor.com, ollama.com, mysmartenergy.nj.pseg.com (+3 more) - payloadFileHash: 934fb849dca44540bbdc89e3abd052258dd05d6dc600a8202f3125877d91789b

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownwebsite-apiall (affected)

References

vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›