VDB
GCVE-110-OSM-2026-2509
GCVE-110-OSM-2026-2509
Advisory PublishedCVSS 8.8/10
Published by the same actor as the confirmed malicious farm-runner package, sharing an identical source repository evidenced by matching git commit hashes across four consecutive version transitions (1.1.94–1.1.97), and co-published within 4 seconds of farm-runner@1.1.97. Contains a 17 MB JavaScript bundle obfuscated with a two-layer scheme — outer string-array rotation wrapping RC4-encrypted string values — that blocked static extraction of command-and-control endpoints. An optional dependency on df-vision@* (wildcard version constraint, same publisher account) provides an additional payload delivery vector.
**Trigger**: No install hook in package.json; payload requires require-time or explicit invocation.
**Obfuscation**: bundle.js employs two-layer obfuscation — an outer array-indexed string rotation (9-parameter variant) wrapping string values that are RC4-encrypted at the inner layer. Only one plaintext string ('Session') was recoverable from the decoded string array; all remaining values are binary/non-printable, consistent with a runtime-key-dependent RC4 decryption routine.
**Cluster evidence**: Git commit hashes at every version step from 1.1.94 to 1.1.97 are identical between farm-orchestrator and farm-runner (e.g., 1.1.96→1.1.97 transition: before=2e5bebe098462ce9a006ccfb66cad33a77630aa1, after=4a5197e238c48e3f6f72449eecdd9b9bf804bc06), confirming a shared source repository. farm-runner@1.1.97 was published at 2026-04-15T07:19:27Z; farm-orchestrator@1.1.97 at 07:19:31Z (4-second delta), both by atddevs@gmail.com.
**Additional payload vector**: optionalDependencies declares df-vision@* (wildcard) — a package published by the same actor with no repository URL, enabling silent payload updates without a version pin.
**C2 endpoints**: Not recoverable via static analysis — RC4 runtime key required for string decryption. Behavioral analysis required to confirm exfil chain.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | farm-orchestrator | 1.1.97 (latest in attested series 1.1.94–1.1.97; 105 total published versions) (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.