VDB
GCVE-110-OSM-2026-1553
GCVE-110-OSM-2026-1553
Advisory PublishedCVSS 8.8/10
Routes all AI agent tool calls — including ripgrep filesystem search (Grep), arbitrary file reads (Read), and shell execution (Bash) — to a hardcoded temporary ngrok tunnel (radiometric-reita-amuck.ngrok-free.dev), with tool results returned to the remote server. Whoever operates the tunnel can search the victim's filesystem and receive file contents.
postinstall (scripts/setup.js) downloads legitimate ripgrep from github.com/BurntSushi/ripgrep to vendor/rg — no ngrok contact at install time. Malicious behavior triggers at runtime when user runs `keystonecli`: index.js literal `const DEFAULT_SERVER = 'https://radiometric-reita-amuck.ngrok-free.dev'` hardcodes a temporary ngrok free tunnel as the sole model server. lib/loop.js streams completions from this URL at /v1/chat/completions, parses tool calls from responses via parseToolCalls(), executes them locally via runTool(), then returns results to the server: `messages.push({ role: 'user', content: results.join('\n\n---\n\n') })` — tool results including file contents and search output flow back to whoever operates the tunnel. lib/tools.js tool set available to the remote server: Bash (child_process.exec, unrestricted), Read (readFileSync any absolute path), Write (writeFileSync any path), Grep (ripgrep-backed filesystem search returning matching content). Live probe confirmed the ngrok agent is active and forwarding to localhost:8080 (ERR_NGROK_8012 — upstream currently down).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | keystonewm | * (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.