VDB
KO

MAL-2026-10409

Malicious code in cold-debug-elevator (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cae8ef53b42bfe7f208c404e2e973600fa174f41c5a2009814f5f0e892769195) The package presents itself as a debugging utility but its exported API is a browser credential stealer targeting installer-owned secrets. The `extract(browserPath, outputPath)` entry point spawns Chrome/Edge/Brave under a debugger, locates the OSCrypt App-Bound Encryption provider inside chrome.dll/msedge.dll via Zydis disassembly (searching for the `OSCrypt.AppBoundProvider.Decrypt.ResultCode` string), sets a hardware execute breakpoint, and reads the 32-byte AppBound key out of process registers via ReadProcessMemory. It then DPAPI-decrypts the Local State master key and issues `SELECT... encrypted_value FROM cookies` and `SELECT origin_url, username_value, password_value FROM logins` against every Chrome/Edge/Brave profile, AES-GCM-decrypting cookies, saved passwords, autofill and history. A second entry point `extractGecko(outputPath)` loads nss3.dll from installed Firefox, Thunderbird, Waterfox, SeaMonkey, Pale Moon, LibreWolf and Tor Browser and calls PK11SDR_Decrypt to recover saved passwords from logins.json, then copies cookies.sqlite, formhistory.sqlite and places.sqlite from each profile. Output files are delimited with a `<Sage Private>` branding string consistent with offensive tooling. binding.gyp references vcpkg paths outside the tarball (`<(module_root_dir)\..\builder\src\Chromium-DebugElevator-main (1)\...`), so `node-gyp rebuild` will fail on a normal install — the stealer is distributed as C++ source and runs only after a consumer builds it manually and invokes the API, but the shipped code has no purpose other than harvesting browser secrets from the machine that runs it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cold-debug-elevator

No fixed version published yet for cold-debug-elevator (npm). Pin to a known-safe version or switch to an alternative.

References