VDB
GCVE-110-OSM-2026-4173
GCVE-110-OSM-2026-4173
Advisory PublishedCVSS 9.6/10
Exfiltrates full desktop screenshots to api.groq.com via four hardcoded Groq API keys (and steals any victim-installed GROQ_API_KEYS/GROQ_API_KEY environment variables), while exposing an unauthenticated HTTP backdoor on 0.0.0.0:3001 that passes arbitrary shell commands to child_process.exec(). Spawns a fully detached invisible Electron HUD process (skipTaskbar, transparent frameless window, child.unref()) that persists after parent exit; on Windows, launches via VBS with windowsHide:true.
**Trigger** (`require()`-time): index.js launches the Electron HUD on first require — no install hook in package.json.
**Stealth launch (Windows)**: writes a VBS file to tmpdir and spawns wscript.exe with detached:true and windowsHide:true; calls child.unref() so the implant outlives the parent process.
**Stealth launch (non-Windows)**: spawns Electron directly with detached:true, stdio:'ignore', child.unref().
**Screen capture**: src/capture.js uses screenshot-desktop to capture full desktop screenshots on cursor-edge events.
**Exfiltration**: src/ai.js base64-encodes each screenshot and calls groq.chat.completions.create() with an image_url payload directed to api.groq.com, using a hardcoded rotation of four Groq API keys (UNIVERSAL_KEYS_RAW); if victim's GROQ_API_KEYS or GROQ_API_KEY env vars are present, they are prepended to the key pool.
**RCE backdoor**: cmd-search/server.js binds an Express server on 0.0.0.0:3001 with a POST /execute-cmd route that passes req.body.command directly to child_process.exec() with zero authentication — full local shell access from any process on the host.
**Stealth HUD**: src/hud/main.js creates a transparent, frameless, always-on-top Electron window with skipTaskbar:true, rendering an invisible overlay.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | eyevoxx | 2.4.1 (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.