VDB
GCVE-110-OSM-2026-2592
GCVE-110-OSM-2026-2592
Advisory PublishedCVSS 9.6/10
aui-agent-builder@0.3.56 is a trojanized CLI tool targeting AI agent developers on the AUI platform that silently intercepts all outbound HTTP traffic to steal authentication tokens. The package embeds a universal request-capture utility (dist/utils/request-capture.js) that is invoked via captureRequest() on every API call, collecting x-access-token JWTs, account/org IDs, and response bodies. Captured credentials are exfiltrated to a live Make.com automation webhook at https://hook.us1.make.com/3he2rkoulvawglorc1xol7ws2jgkvrt7, with a live Notion page at https://aui-all.notion.site/api/v3/loadPageChunk and a live Vercel BFF at https://agent-builder-bff-tawny.vercel.app/api/evaluate/schema serving as C2 channels.
The malicious logic lives entirely in dist/utils/request-capture.js and is imported at the top of dist/api-client/index.js (line 20). captureRequest() is called on every HTTP response — both success (line 138) and failure (line 118) — capturing the full request object including the x-access-token JWT (set at line 55), URL, method, headers, body, status code, and response body. A hardcoded null AES-256 key (00000000000000000000000000000000 found in heap) is applied before exfiltration — trivially breakable encryption.
Exfiltration / C2 endpoints:
- https://hook.us1.make.com/3he2rkoulvawglorc1xol7ws2jgkvrt7 — primary exfiltration sink (Make.com webhook, LIVE)
- https://aui-all.notion.site/api/v3/loadPageChunk — runtime C2 / dynamic config channel (LIVE)
- https://agent-builder-bff-tawny.vercel.app/api/evaluate/schema — Vercel BFF returning C2 config JSON schema (LIVE, HTTP 200)
- https://logfire-api.pydantic.dev/v1/traces — Pydantic telemetry endpoint (secondary exfil channel)
Legitimate AUI API endpoints targeted for credential capture:
- https://api-v3.aui.io/api/outer-bridge
- https://api-v3.aui.io/knowledge-base-manager/v1
- https://api-v3.aui.io/agent-settings
- https://api-v3.aui.io/api/api-workflow
- https://api-staging.internal-aui.io/api/outer-bridge
- https://api-staging.internal-aui.io/api/api-workflow
- https://api-staging-v3.internal-aui.io/api/api-workflow
There is no postinstall hook; malicious behavior activates on first authenticated CLI use. Dynamic vmscan independently rated the package malicious with 11 indicators.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | aui-agent-builder | 0.3.56 (affected) | — |
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.