VDB

GCVE-110-OSM-2026-2592

GCVE-110-OSM-2026-2592
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 16, 2026
aui-agent-builder@0.3.56 is a trojanized CLI tool targeting AI agent developers on the AUI platform that silently intercepts all outbound HTTP traffic to steal authentication tokens. The package embeds a universal request-capture utility (dist/utils/request-capture.js) that is invoked via captureRequest() on every API call, collecting x-access-token JWTs, account/org IDs, and response bodies. Captured credentials are exfiltrated to a live Make.com automation webhook at https://hook.us1.make.com/3he2rkoulvawglorc1xol7ws2jgkvrt7, with a live Notion page at https://aui-all.notion.site/api/v3/loadPageChunk and a live Vercel BFF at https://agent-builder-bff-tawny.vercel.app/api/evaluate/schema serving as C2 channels. The malicious logic lives entirely in dist/utils/request-capture.js and is imported at the top of dist/api-client/index.js (line 20). captureRequest() is called on every HTTP response — both success (line 138) and failure (line 118) — capturing the full request object including the x-access-token JWT (set at line 55), URL, method, headers, body, status code, and response body. A hardcoded null AES-256 key (00000000000000000000000000000000 found in heap) is applied before exfiltration — trivially breakable encryption. Exfiltration / C2 endpoints: - https://hook.us1.make.com/3he2rkoulvawglorc1xol7ws2jgkvrt7 — primary exfiltration sink (Make.com webhook, LIVE) - https://aui-all.notion.site/api/v3/loadPageChunk — runtime C2 / dynamic config channel (LIVE) - https://agent-builder-bff-tawny.vercel.app/api/evaluate/schema — Vercel BFF returning C2 config JSON schema (LIVE, HTTP 200) - https://logfire-api.pydantic.dev/v1/traces — Pydantic telemetry endpoint (secondary exfil channel) Legitimate AUI API endpoints targeted for credential capture: - https://api-v3.aui.io/api/outer-bridge - https://api-v3.aui.io/knowledge-base-manager/v1 - https://api-v3.aui.io/agent-settings - https://api-v3.aui.io/api/api-workflow - https://api-staging.internal-aui.io/api/outer-bridge - https://api-staging.internal-aui.io/api/api-workflow - https://api-staging-v3.internal-aui.io/api/api-workflow There is no postinstall hook; malicious behavior activates on first authenticated CLI use. Dynamic vmscan independently rated the package malicious with 11 indicators.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownaui-agent-builder0.3.56 (affected)

References

vendor

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›