VDB

GCVE-110-OSM-2026-2504

GCVE-110-OSM-2026-2504
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 16, 2026
Forwards caller-supplied API credentials (STARK_VISION_API_KEY, GEMINI_API_KEY) into df-vision@1.1.76 — a 2 MB RC4-obfuscated webpack bundle — on every invocation; both packages are published by atddevs@gmail.com, the confirmed-malicious actor behind farm-runner (OSM-confirmed) and farm-orchestrator (HIGH). appclaw exactly pins df-vision to the actively-revised 1.1.76 bundle, routing user credentials into opaque attacker-controlled code from which no plaintext C2 endpoint is extractable. **Trigger**: at require-time, appclaw imports df-vision and instantiates StarkVisionClient using caller-supplied credentials. **Credential forwarding** (`dist/flow/vision-execute.js`): `import starkVision from 'df-vision'` — appclaw reads `STARK_VISION_API_KEY` and `GEMINI_API_KEY` from the caller's environment and passes them as constructor arguments to `StarkVisionClient`. The receiving code is entirely inside df-vision@1.1.76's `dist/bundle.js` (SHA256: `a6c61340db5bc481da956e7d6abf102a3dd967b3929d6480ea35e78aaa692fcf`), a 2,053,901-byte RC4-obfuscated webpack bundle. **Version pin**: df-vision was bumped from 1.1.75 to exactly 1.1.76 in appclaw@0.1.6 and the same exact pin retained in 0.1.7, tracking active payload revisions by the same actor. appclaw's own code contains no install hooks, no obfuscation, and no network calls to attacker infrastructure — the malicious layer executes entirely within the pinned df-vision dependency.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownappclaw0.1.7 (affected)

References

vendor

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›