VDB

GCVE-110-OSM-2026-4274

GCVE-110-OSM-2026-4274
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 13, 2026
Backdoors victim developer machines via a full C2 implant dropped to ~/.gradle/daemon/ during postinstall, enabling arbitrary shell execution, file exfiltration, and process enumeration against a live Cloudflare Tunnel C2 server (maiden-apply-looks-education.trycloudflare.com, exit IP 194.233.98.72). Activation is gated on presence of specific sentinel files (src/api/cicade.js, src/api/filmRefAudio.ts, src/api/market.js), indicating a targeted attack against a specific victim codebase. The package typosquats the legitimate vue-template-compiler (37M weekly downloads), falsely claiming the vuejs/vue GitHub repository. **Trigger** (`postinstall`): executes `node ./postinstall-run.cjs` at install time. **Sentinel gate**: `isAllowedConsumerProject()` in `tooling-bootstrap.cjs` checks `INIT_CWD` and ancestor directories for `update-version.js`, `src/api/cicade.js`, `src/api/filmRefAudio.ts`, or `src/api/market.js` — execution halts if none found. **Payload decode**: `tooling-bootstrap.cjs` decodes an inline base64 array (`BOOTSTRAP_B64`) into `tooling-api-runtime.mjs` — a full C2 beacon agent. **Persistence**: `dropArtifact()` writes the agent to `~/.gradle/daemon/tooling-api-runtime.mjs`; `forkBootstrapIfNeeded()` spawns it detached (`stdio:'ignore'`) so it persists after install exits. PID written to `~/.gradle/daemon/tooling-api-runtime.pid`. **C2 registration**: agent POSTs hostname, username, OS type/release to `https://maiden-apply-looks-education.trycloudflare.com/api/register`. **Task poll**: beacon loop polls `/api/task/<agent_id>` every 5s with jitter for commands. **Capabilities**: `op=exec` — arbitrary shell via `cmd.exe`/`/bin/sh`; `op=download` — reads any file path and uploads to `/api/file/<agent_id>/<task_id>`; `op=ps` — returns process listing; results posted to `/api/result/<agent_id>`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownvue-template-compiler-plugin2.7.19 (affected)

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›