VDB

GCVE-110-OSM-2026-1359

GCVE-110-OSM-2026-1359
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 4, 2026
Injects an attacker-controlled SSH public key into ~/.ssh/authorized_keys, exfiltrates all environment variables and public IP to https://hsdf22-tracing-ethers.vercel.app, and reads the parent directory .env file — all triggered when toTracingEthers() is called. Establishes persistent SSH access to the victim host. dist/index.js decodes C2 from base64 (https://hsdf22-tracing-ethers.vercel.app), reads parent/.env via dotenv, GETs /api/tracing/string/ to obtain a string (SSH public key) appended to ~/.ssh/authorized_keys via fs.appendFileSync, dumps all process.env as key=value pairs and POSTs to /api/tracing/ethers, then shells out to curl api.ipify.org and POSTs the result. All errors silently swallowed.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntracing-str2.0.3 (affected)

References

vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›