VDB

GCVE-110-OSM-2026-177

GCVE-110-OSM-2026-177
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 15, 2026
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code. Payload: apps/backend/tests/unit/test_meeting_webhooks.py Secondary files: apps/backend/services/license/__init__.py, apps/backend/extensions/enrichment/apollo_provider.py Key findings: - Environment Variable Exfiltration in apps/backend/services/license/__init__.py: "os.environ.get("WORKWEAVER_LICENSE_URL", _DEFAULT_LICENSE_URL) def _fetch(s..." - Environment Variable Exfiltration in apps/backend/workmemory/api/app.py: "os.environ.get("LOG_LEVEL", "INFO") logging.basicConfig( level=getattr(loggi..." - Corporate Environment Targeting in apps/backend/workmemory/api/routes/agent.py: "tModel from apps.backend.workmemory.services.recall_policy import ( REASON_N..." - Corporate Environment Targeting in apps/dashboard/admin/managers/ai-playground.js: "tModelId) { const match" - Shell Command Execution in .codex/skills/workweaver-secret-handling/scripts/scan_sensitive_diff.py: "subprocess.run(" IOCs: - ipv4: 7.1.1.1, 100.64.0.0, 198.18.0.0, 240.0.0.0, 199.199.199.199 (+2 more) - ipv6: fe80::, fc00:: - urls: https://workweaver.ai, https://docs.workweaver.ai, https://api-shadow.workweaver.ai, https://workweaver.ai/runtime/#/mission`, https://workweaver.ai/runtime/#/{surface (+45 more) - domains: gate.sh, ui-avatars.com, memory.org, founder.org, docs.soliditylang.org (+33 more) - emails: legal@workweaver.ai, hello@workweaver.ai, API@hub.snapshot.org, workweaver@bitfoundry.ai, aditya.koushik@bitfoundry.ai (+45 more) - bitcoinAddresses: 11111111111111111111111111111111 - ethereumAddresses: 0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789, 0x0000000071727De22E5E9d8BAf0edAc6f37da032, 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2, 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48, 0xdAC17F958D2ee523a2206206994597C13D831ec7 (+45 more) - sha256Hashes: 6a27522252aef8432841f224d9baaa6e9fce07b07584154fa0b9a96603af7456, 0000000000000000000000001234567890abcdef1234567890abcdef12345678, ddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef, 0000000000000000000000000000000000000000000000000000000000000001, 0000000000000000000000000000000000000000000000000000000000000002 (+3 more) - payloadFileHash: b4b1d09a5ec24d2d0167068d567262857f6ed06610d1537b678e6830331f2fba

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownvision-service-python-clientall (affected)
unknownworkweaverall (affected)
unknownwisecloudcyberark* (affected), all (affected), all (affected), all (affected)
unknownrisk-utilities* (affected), all (affected), all (affected), all (affected), all (affected), * (affected), * (affected)
unknownfwk-amigapython-amigamlserver* (affected), all (affected), all (affected), all (affected)

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›