VDB
GCVE-110-OSM-2026-2236
GCVE-110-OSM-2026-2236
Advisory PublishedCVSS 9.6/10
Drops a cross-platform Go backdoor binary to PATH at install time and beacons to `http://35.154.94.11:8080` on every invocation. The binary archives project files (including `.env`) as `rapidlynk_download.tar.gz` and exfiltrates them via a `channel/upload` endpoint. The darwin-x64 build imports `ptrace`, `fork`, and `execve` for anti-debug and daemonization.
**Trigger** (`postinstall`): `install.js` selects the platform-matching binary from `bin/` (`rapidlynk-darwin-arm64`, `rapidlynk-darwin-x64`, `rapidlynk-linux-x64`, or `rapidlynk-win-x64.exe`), copies it to `$npm_config_prefix/bin/rapidlynk`, and sets `chmod 0755` — placing the binary on the user's PATH without further interaction.
**C2 beacon**: all four binaries contain the literal string `http://35.154.94.11:8080` in their Go rodata section (confirmed via gostrings analysis of all four builds); `sym._net._netFD_.connect` symbols confirm active outbound TCP connections.
**Exfiltration**: rodata strings `channel/upload`, `Pushed to channel:`, `Resolving channel '%s'...`, `Bundling project...`, `rapidlynk_download.tar.gz`, and `archive/tar Writer` confirm the binary archives the current project directory into a tar archive and uploads it to the C2 via the upload channel endpoint.
**Credential targeting**: `.env` appears as a rodata string in all four binaries, confirming targeted credential file access.
**Anti-analysis (darwin-x64 only)**: imports `ptrace` (anti-debug), `fork` (daemonization), `execve` (shell spawn), `chroot`; darwin-arm64 imports `execve`, `chmod`, `dup`.
**Lure**: package presents itself as "Private, one-command project sharing" — social engineering to induce developers to run `rapidlynk pull <id:key>` and share their project directory.
**C2 infrastructure**: `35.154.94.11:8080` hosted AWS ap-south-1, live TCP, zero VT detections — novel malware.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | rapidlynk | all versions (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.