VDB

GCVE-110-OSM-2026-4173

GCVE-110-OSM-2026-4173
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 15, 2026
Exfiltrates full desktop screenshots to api.groq.com via four hardcoded Groq API keys (and steals any victim-installed GROQ_API_KEYS/GROQ_API_KEY environment variables), while exposing an unauthenticated HTTP backdoor on 0.0.0.0:3001 that passes arbitrary shell commands to child_process.exec(). Spawns a fully detached invisible Electron HUD process (skipTaskbar, transparent frameless window, child.unref()) that persists after parent exit; on Windows, launches via VBS with windowsHide:true. **Trigger** (`require()`-time): index.js launches the Electron HUD on first require — no install hook in package.json. **Stealth launch (Windows)**: writes a VBS file to tmpdir and spawns wscript.exe with detached:true and windowsHide:true; calls child.unref() so the implant outlives the parent process. **Stealth launch (non-Windows)**: spawns Electron directly with detached:true, stdio:'ignore', child.unref(). **Screen capture**: src/capture.js uses screenshot-desktop to capture full desktop screenshots on cursor-edge events. **Exfiltration**: src/ai.js base64-encodes each screenshot and calls groq.chat.completions.create() with an image_url payload directed to api.groq.com, using a hardcoded rotation of four Groq API keys (UNIVERSAL_KEYS_RAW); if victim's GROQ_API_KEYS or GROQ_API_KEY env vars are present, they are prepended to the key pool. **RCE backdoor**: cmd-search/server.js binds an Express server on 0.0.0.0:3001 with a POST /execute-cmd route that passes req.body.command directly to child_process.exec() with zero authentication — full local shell access from any process on the host. **Stealth HUD**: src/hud/main.js creates a transparent, frameless, always-on-top Electron window with skipTaskbar:true, rendering an invisible overlay.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowneyevoxx2.4.1 (affected)

References

vendor

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›