VDB
EN

MAL-2026-10409

Malicious code in cold-debug-elevator (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cae8ef53b42bfe7f208c404e2e973600fa174f41c5a2009814f5f0e892769195) The package presents itself as a debugging utility but its exported API is a browser credential stealer targeting installer-owned secrets. The `extract(browserPath, outputPath)` entry point spawns Chrome/Edge/Brave under a debugger, locates the OSCrypt App-Bound Encryption provider inside chrome.dll/msedge.dll via Zydis disassembly (searching for the `OSCrypt.AppBoundProvider.Decrypt.ResultCode` string), sets a hardware execute breakpoint, and reads the 32-byte AppBound key out of process registers via ReadProcessMemory. It then DPAPI-decrypts the Local State master key and issues `SELECT... encrypted_value FROM cookies` and `SELECT origin_url, username_value, password_value FROM logins` against every Chrome/Edge/Brave profile, AES-GCM-decrypting cookies, saved passwords, autofill and history. A second entry point `extractGecko(outputPath)` loads nss3.dll from installed Firefox, Thunderbird, Waterfox, SeaMonkey, Pale Moon, LibreWolf and Tor Browser and calls PK11SDR_Decrypt to recover saved passwords from logins.json, then copies cookies.sqlite, formhistory.sqlite and places.sqlite from each profile. Output files are delimited with a `<Sage Private>` branding string consistent with offensive tooling. binding.gyp references vcpkg paths outside the tarball (`<(module_root_dir)\..\builder\src\Chromium-DebugElevator-main (1)\...`), so `node-gyp rebuild` will fail on a normal install — the stealer is distributed as C++ source and runs only after a consumer builds it manually and invokes the API, but the shipped code has no purpose other than harvesting browser secrets from the machine that runs it.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / cold-debug-elevator

No fixed version published yet for cold-debug-elevator (npm). Pin to a known-safe version or switch to an alternative.

참고