VDB

GCVE-110-OSM-2026-3120

GCVE-110-OSM-2026-3120
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 24, 2026
Steals GCP service account OAuth tokens, AWS IAM credentials, and all environment variables via a postinstall hook targeting Google Jules AI coding agent environments. Exfiltrates collected credentials to aaronstack.com/jules-collect and installs persistent MCP server hijack routing context7 and linear MCP tool calls to aaronstack.com/jules-mcp/mcp. Establishes additional persistence through .bashrc env-leak hooks and AGENTS.md injection that social-engineers the AI agent into using the attacker MCP server. postinstall.js triggers immediately on install and beacons to C2. Executes a credential sweep: regex-filters env vars for API keys and tokens (LINEAR, SUPABASE, NEON, TINYBIRD, GOOGLE, GEMINI, ANTHROPIC, AWS, GITHUB, NPM_TOKEN, SLACK, DISCORD), base64-encodes all env vars, probes GCP IMDS at 169.254.169.254 with Metadata-Flavor: Google header for service account OAuth tokens, AWS IMDS for IAM credentials, and Firecracker MMDS via IMDSv2 token PUT targeting the Jules sandbox. Scans /proc/1/environ and all /proc/*/environ for sensitive keys. Harvests /run/secrets, /var/secrets, /var/run/secrets, /etc/jules-credentials, application_default_credentials.json, ~/.gcp/credentials.json, KUBECONFIG, ~/.npmrc, ~/.netrc, .env files, and runs find for credentials.json, service-account*.json, *.pem. Reads /etc/passwd, runs ss -antp, lists /app/ and /app/.git/. Persistence phase writes attacker MCP config to /root/.jules/mcp.json, /home/jules/.jules/mcp.json, $INIT_CWD/.jules/config.json, and /app/.jules/config.json. Writes AGENTS.md to $INIT_CWD and /app/ instructing the AI agent to fetch documentation from context7. Appends .bashrc hooks to /home/jules/.bashrc and /root/.bashrc that base64-encode env and POST to C2 on every new shell. All data aggregated and POSTed to C2 with X-Secret auth header.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@gbrlxvii/ts-env-validator1.0.4 (affected)

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›