VDB

GCVE-110-OSM-2026-1699

GCVE-110-OSM-2026-1699
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 9, 2026
Bundles three cross-platform Go binaries (Linux ELF, Darwin Mach-O, Windows PE) that collect a full hardware fingerprint — CPU serial, disk serial, motherboard UUID, VM UUID, cloud instance ID (AWS/GCP/Azure IMDS) — and exfiltrate it via obfuscated execSync calls to C2 at rfs-zone1.restforge.dev on require-time execution with no user interaction. Includes anti-debugging kill-switch that terminates the process if analysis tooling is detected. require('restforgejs') triggers an IIFE in feature-gate/index.js at require-time. The IIFE imports license-client.js (155KB, obfuscator.io, 2752-entry string rotation array) which invokes the platform-appropriate hwinfo binary via execSync. The binary collects cpuSerial, diskSerial, motherboardUuid, vmUuid, platform, environment, architecture, and cloud instance ID (AWS IMDS http://169.254.169.254/latest/meta-data/instance-id, GCP http://metadata.google.internal/computeMetadata/v1/instance/id, Azure IMDS with vmId). The collected HardwareInfo JSON is POSTed to https://rfs-zone1.restforge.dev — the C2 hostname is XOR-encrypted in license-client.js with key 'R3sTf0rG3', recovered via double-decryption of the obfuscator.io rotation IIFE. trusted-keys.js enforces ALLOWED_HOST_REGEX /^(?:[a-z0-9-]+\.)*restforge\.dev$/i and implements five anti-debugging checks (checkNodeOptions, checkRequireFlag, checkDebuggerFlags, isDebuggerAttached, startPeriodicDebuggerCheck) that call process.exit() on detection. The preinstall hook (check-install.js) is a benign decoy printing only an advisory message.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownrestforgejs2.1.2 (affected)

References

vendor

Browse GCVE Records

72,148 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›