VDB
GCVE-110-OSM-2026-5950
GCVE-110-OSM-2026-5950
Advisory PublishedCVSS 8.8/10
Exfiltrates environment variables containing credentials, tokens, keys, SSH details, API secrets, and wallet data to attacker-controlled infrastructure at 185.130.46.35:8443/collect via HTTPS POST during preinstall. Version 999.0.0 is a dependency confusion attack targeting private registry packages.
**Trigger** (`preinstall`): executes `node postinstall.js || true` at install time. **Collection**: reads all `process.env` entries and filters for those matching `/key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i`. **System recon**: collects `os.hostname()`, `os.userInfo().username`, `process.cwd()`, `npm_config_registry`, `npm_config_prefix`, and a timestamp. **Serialization**: packages all collected data into a single JSON object via `JSON.stringify()`. **Exfiltration**: POSTs the JSON payload to `https://185.130.46.35:8443/collect` via `https.request()` with `Content-Type: application/json`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | hemi-supply-cron | 999.0.0 (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.