VDB
GCVE-110-OSM-2026-3451
GCVE-110-OSM-2026-3451
Advisory PublishedCVSS 8.8/10
Exfiltrates comprehensive Android device telemetry — installed packages, /sdcard filesystem inventory, running processes, accessibility services, system logs, network connections, and LD_PRELOAD environment variable — to attacker-controlled C2 at neskss.onrender.com via HTTP POST at require-time. Disguised as a Portuguese-language Free Fire anti-cheat scanner ('NeskSS — Terror dos xitados') targeting Termux users; published across 8 versions in 3.5 hours with a deliberately obfuscated payload.
**Trigger** (require-time): `main()` is called unconditionally at the bottom of the obfuscated `dist/index.js`; fires on any `require()` or direct execution — no install hook needed.
**Key validation gate**: Before any collection begins, the package makes a GET request to the validate endpoint at `https://neskss.onrender.com/api/v1/keys/validate/` appending the CLI-supplied AccessKey; the process exits if the key is rejected.
**Data collection** (15+ `child_process.exec` calls across named scan functions):
- `pm list packages` — full installed Android package inventory
- `find /sdcard/Download /sdcard/Android/data /sdcard/DCIM ... -maxdepth 5 -type f` — filesystem scan
- `ps -A -o NAME` — running process list filtered for frida, magisk, gameguardian, inject, su
- `settings get secure enabled_accessibility_services` + `cmd appops query-op SYSTEM_ALERT_WINDOW allow`
- `logcat -d -t 1000 *:E *:W` — last 1,000 system log entries
- `netstat -antup` / `ss -antup` — active connections; ADB state
- `getprop` — full device property dump with emulator detection
- `process.env.LD_PRELOAD` — read directly; exfiltrated as `memory_analysis.injection_method`
**Exfiltration**: All results assembled into a single JSON payload and POSTed to `https://neskss.onrender.com/api/v1/scan/report` with `x-access-key` header.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | nesk-scanner-termux | * (affected) | — |
Browse GCVE Records
73,734 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.