OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10409 confirms this npm version as malicious. The package presents itself as a debugging utility but its exported API is a browser credential stealer targeting installer-owned secrets. The `extract(browserPath, outputPath)` entry point spawns Chrome/Edge/Brave under a debugger, locates the OSCrypt App-Bound Encryption provider inside chrome.dll/msedge.dll via Zydis disassembly (searching for the `OSCrypt.AppBoundProvider.Decrypt.ResultCode` string), sets a...
Advisory
MAL-2026-10409
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cold-debug-elevator (npm)
Details
The package presents itself as a debugging utility but its exported API is a browser credential stealer targeting installer-owned secrets. The `extract(browserPath, outputPath)` entry point spawns Chrome/Edge/Brave under a debugger, locates the OSCrypt App-Bound Encryption provider inside chrome.dll/msedge.dll via Zydis disassembly (searching for the `OSCrypt.AppBoundProvider.Decrypt.ResultCode` string), sets a hardware execute breakpoint, and reads the 32-byte AppBound key out of process registers via ReadProcessMemory. It then DPAPI-decrypts the Local State master key and issues `SELECT... encrypted_value FROM cookies` and `SELECT origin_url, username_value, password_value FROM logins` against every Chrome/Edge/Brave profile, AES-GCM-decrypting cookies, saved passwords, autofill and history. A second entry point `extractGecko(outputPath)` loads nss3.dll from installed Firefox, Thunderbird, Waterfox, SeaMonkey, Pale Moon, LibreWolf and Tor Browser and calls PK11SDR_Decrypt to recover saved passwords from logins.json, then copies cookies.sqlite, formhistory.sqlite and places.sqlite from each profile. Output files are delimited with a `<Sage Private>` branding string consistent with offensive tooling. binding.gyp references vcpkg paths outside the tarball (`<(module_root_dir)\..\builder\src\Chromium-DebugElevator-main (1)\...`), so `node-gyp rebuild` will fail on a normal install — the stealer is distributed as C++ source and runs only after a consumer builds it manually and invokes the API, but the shipped code has no purpose other than harvesting browser secrets from the machine that runs it.
Decision reason
OpenSSF Malicious Packages via OSV confirms cold-debug-elevator@1.0.3 as malicious (MAL-2026-10409): Malicious code in cold-debug-elevator (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory