npm

cold-debug-elevator @1.0.4

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10409

Ecosystem

npm

Summary

The package presents itself as a debugging utility but its exported API is a browser credential stealer targeting installer-owned secrets. The extract(browserPath, outputPath) entry point spawns Chrome/Edge/Brave under a debugger, locates the OSCrypt App-Bound Encryption provider inside chrome.dll/msedge.dll via Zydis disassembly (searching for the OSCrypt.AppBoundProvider.Decrypt.ResultCode string), sets a hardware execute breakpoint, and reads the 32-byte AppBound key out of process registers via ReadProcessMemory. It then DPAPI-decrypts the Local State master key and issues SELECT... encrypted_value FROM cookies and SELECT origin_url, username_value, password_value FROM logins against every Chrome/Edge/Brave profile, AES-GCM-decrypting cookies, saved passwords, autofill and history. A second entry point extractGecko(outputPath) loads nss3.dll from installed Firefox, Thunderbird, Waterfox, SeaMonkey, Pale Moon, LibreWolf and Tor Browser and calls PK11SDR_Decrypt to recover saved passwords from logins.json, then copies cookies.sqlite, formhistory.sqlite and places.sqlite from each profile. Output files are delimited with a <Sage Private> branding string consistent with offensive tooling. binding.gyp references vcpkg paths outside the tarball ( <(module_root_dir)\..\builder\src\Chromium-DebugElevator-main (1)\... ), so node-gyp rebuild will fail on a normal install — the stealer is distributed as C++ source and runs only after a consumer builds it manually and invokes the API, but the shipped code has no purpose other than harvesting browser secrets from the machine that runs it.

Source: amazon-inspector (cae8ef53b42bfe7f208c404e2e973600fa174f41c5a2009814f5f0e892769195)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.