VDB

GCVE-110-OSM-2026-2509

GCVE-110-OSM-2026-2509
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 16, 2026
Published by the same actor as the confirmed malicious farm-runner package, sharing an identical source repository evidenced by matching git commit hashes across four consecutive version transitions (1.1.94–1.1.97), and co-published within 4 seconds of farm-runner@1.1.97. Contains a 17 MB JavaScript bundle obfuscated with a two-layer scheme — outer string-array rotation wrapping RC4-encrypted string values — that blocked static extraction of command-and-control endpoints. An optional dependency on df-vision@* (wildcard version constraint, same publisher account) provides an additional payload delivery vector. **Trigger**: No install hook in package.json; payload requires require-time or explicit invocation. **Obfuscation**: bundle.js employs two-layer obfuscation — an outer array-indexed string rotation (9-parameter variant) wrapping string values that are RC4-encrypted at the inner layer. Only one plaintext string ('Session') was recoverable from the decoded string array; all remaining values are binary/non-printable, consistent with a runtime-key-dependent RC4 decryption routine. **Cluster evidence**: Git commit hashes at every version step from 1.1.94 to 1.1.97 are identical between farm-orchestrator and farm-runner (e.g., 1.1.96→1.1.97 transition: before=2e5bebe098462ce9a006ccfb66cad33a77630aa1, after=4a5197e238c48e3f6f72449eecdd9b9bf804bc06), confirming a shared source repository. farm-runner@1.1.97 was published at 2026-04-15T07:19:27Z; farm-orchestrator@1.1.97 at 07:19:31Z (4-second delta), both by atddevs@gmail.com. **Additional payload vector**: optionalDependencies declares df-vision@* (wildcard) — a package published by the same actor with no repository URL, enabling silent payload updates without a version pin. **C2 endpoints**: Not recoverable via static analysis — RC4 runtime key required for string decryption. Behavioral analysis required to confirm exfil chain.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownfarm-orchestrator1.1.97 (latest in attested series 1.1.94–1.1.97; 105 total published versions) (affected)

References

vendor

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›