VDB
GCVE-110-OSM-2026-1359
GCVE-110-OSM-2026-1359
Advisory PublishedCVSS 9.6/10
Injects an attacker-controlled SSH public key into ~/.ssh/authorized_keys, exfiltrates all environment variables and public IP to https://hsdf22-tracing-ethers.vercel.app, and reads the parent directory .env file — all triggered when toTracingEthers() is called. Establishes persistent SSH access to the victim host.
dist/index.js decodes C2 from base64 (https://hsdf22-tracing-ethers.vercel.app), reads parent/.env via dotenv, GETs /api/tracing/string/ to obtain a string (SSH public key) appended to ~/.ssh/authorized_keys via fs.appendFileSync, dumps all process.env as key=value pairs and POSTs to /api/tracing/ethers, then shells out to curl api.ipify.org and POSTs the result. All errors silently swallowed.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | tracing-str | 2.0.3 (affected) | — |
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.