VDB

GCVE-110-OSM-2026-3451

GCVE-110-OSM-2026-3451
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 1, 2026
Exfiltrates comprehensive Android device telemetry — installed packages, /sdcard filesystem inventory, running processes, accessibility services, system logs, network connections, and LD_PRELOAD environment variable — to attacker-controlled C2 at neskss.onrender.com via HTTP POST at require-time. Disguised as a Portuguese-language Free Fire anti-cheat scanner ('NeskSS — Terror dos xitados') targeting Termux users; published across 8 versions in 3.5 hours with a deliberately obfuscated payload. **Trigger** (require-time): `main()` is called unconditionally at the bottom of the obfuscated `dist/index.js`; fires on any `require()` or direct execution — no install hook needed. **Key validation gate**: Before any collection begins, the package makes a GET request to the validate endpoint at `https://neskss.onrender.com/api/v1/keys/validate/` appending the CLI-supplied AccessKey; the process exits if the key is rejected. **Data collection** (15+ `child_process.exec` calls across named scan functions): - `pm list packages` — full installed Android package inventory - `find /sdcard/Download /sdcard/Android/data /sdcard/DCIM ... -maxdepth 5 -type f` — filesystem scan - `ps -A -o NAME` — running process list filtered for frida, magisk, gameguardian, inject, su - `settings get secure enabled_accessibility_services` + `cmd appops query-op SYSTEM_ALERT_WINDOW allow` - `logcat -d -t 1000 *:E *:W` — last 1,000 system log entries - `netstat -antup` / `ss -antup` — active connections; ADB state - `getprop` — full device property dump with emulator detection - `process.env.LD_PRELOAD` — read directly; exfiltrated as `memory_analysis.injection_method` **Exfiltration**: All results assembled into a single JSON payload and POSTed to `https://neskss.onrender.com/api/v1/scan/report` with `x-access-key` header.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnesk-scanner-termux* (affected)

References

vendor

Browse GCVE Records

73,734 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›