VDB

GCVE-110-OSM-2026-2236

GCVE-110-OSM-2026-2236
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 14, 2026
Drops a cross-platform Go backdoor binary to PATH at install time and beacons to `http://35.154.94.11:8080` on every invocation. The binary archives project files (including `.env`) as `rapidlynk_download.tar.gz` and exfiltrates them via a `channel/upload` endpoint. The darwin-x64 build imports `ptrace`, `fork`, and `execve` for anti-debug and daemonization. **Trigger** (`postinstall`): `install.js` selects the platform-matching binary from `bin/` (`rapidlynk-darwin-arm64`, `rapidlynk-darwin-x64`, `rapidlynk-linux-x64`, or `rapidlynk-win-x64.exe`), copies it to `$npm_config_prefix/bin/rapidlynk`, and sets `chmod 0755` — placing the binary on the user's PATH without further interaction. **C2 beacon**: all four binaries contain the literal string `http://35.154.94.11:8080` in their Go rodata section (confirmed via gostrings analysis of all four builds); `sym._net._netFD_.connect` symbols confirm active outbound TCP connections. **Exfiltration**: rodata strings `channel/upload`, `Pushed to channel:`, `Resolving channel '%s'...`, `Bundling project...`, `rapidlynk_download.tar.gz`, and `archive/tar Writer` confirm the binary archives the current project directory into a tar archive and uploads it to the C2 via the upload channel endpoint. **Credential targeting**: `.env` appears as a rodata string in all four binaries, confirming targeted credential file access. **Anti-analysis (darwin-x64 only)**: imports `ptrace` (anti-debug), `fork` (daemonization), `execve` (shell spawn), `chroot`; darwin-arm64 imports `execve`, `chmod`, `dup`. **Lure**: package presents itself as "Private, one-command project sharing" — social engineering to induce developers to run `rapidlynk pull <id:key>` and share their project directory. **C2 infrastructure**: `35.154.94.11:8080` hosted AWS ap-south-1, live TCP, zero VT detections — novel malware.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownrapidlynkall versions (affected)

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›