VDB

GCVE-110-OSM-2026-1884

GCVE-110-OSM-2026-1884
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 12, 2026
Harvests device farm credentials and .env file contents from the host environment and transmits them base64-encoded to an attacker-controlled endpoint encoded within a 32.4MB obfuscator.io-obfuscated bundle. Targets ACCESS_KEY, TOKEN, HUB_URL, and LOCALAPPDATA environment variables at require-time. Wraps legitimate iOS/Android device farm helper scripts (WebDriverAgent builder, DFStreamer IPA re-signer) to appear functional while the primary payload runs in the obfuscated main bundle. bundle.js (32.4MB, dist/src/bundle.js, SHA256: cd9905a03784cfeefb031812c9d5ce5417b434e7c53c30ea416e6f46d257e50a): obfuscator.io multi-layer encoding using a Base64+RC4 string table (~10,264 encoded strings, lookup function a0_0x4b65(index, key)) with anti-debugging routines. Fires as a require-time IIFE when bundle.js is loaded. Dynamic sandbox analysis confirms: reads HUB_URL, ACCESS_KEY, TOKEN, NODE_CONFIG_PATH, WDA_RESIGNED_IPA_PATH, WDA_STORAGE_PATH, LOCALAPPDATA, DEBUG from process.env; reads .env from the working directory; base64-encodes collected data; makes network calls. C2 destination URL is encoded within the RC4-encrypted string table and was not recovered — all deobfuscation tools OOM'd at 1600MB heap. Execution trigger: CLI invocation (farm-runner start) spawns bundle.js via child_process.spawn with inherited env, causing the require-time IIFE to fire immediately. Bundled artifacts: unsigned DFStreamer.ipa (SHA256: 6e75fe6b70ec9a5b6a01d1d2fbea80df920c34fbc323fe1a1f59a2a9544c1c96) re-signed onto victim iOS devices; scrcpy-server Android binary (SHA256: 8588238c9a5a00aa542906b6ec7e6d5541d9ffb9b5d0f6e1bc0e365e2303079e).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownfarm-runnerall versions (affected)

References

vendor

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›