VDB

GCVE-110-OSM-2026-5950

GCVE-110-OSM-2026-5950
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 15, 2026
Exfiltrates environment variables containing credentials, tokens, keys, SSH details, API secrets, and wallet data to attacker-controlled infrastructure at 185.130.46.35:8443/collect via HTTPS POST during preinstall. Version 999.0.0 is a dependency confusion attack targeting private registry packages. **Trigger** (`preinstall`): executes `node postinstall.js || true` at install time. **Collection**: reads all `process.env` entries and filters for those matching `/key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i`. **System recon**: collects `os.hostname()`, `os.userInfo().username`, `process.cwd()`, `npm_config_registry`, `npm_config_prefix`, and a timestamp. **Serialization**: packages all collected data into a single JSON object via `JSON.stringify()`. **Exfiltration**: POSTs the JSON payload to `https://185.130.46.35:8443/collect` via `https.request()` with `Content-Type: application/json`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownhemi-supply-cron999.0.0 (affected)

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›