VDB
GCVE-110-OSM-2026-4274
GCVE-110-OSM-2026-4274
Advisory PublishedCVSS 9.6/10
Backdoors victim developer machines via a full C2 implant dropped to ~/.gradle/daemon/ during postinstall, enabling arbitrary shell execution, file exfiltration, and process enumeration against a live Cloudflare Tunnel C2 server (maiden-apply-looks-education.trycloudflare.com, exit IP 194.233.98.72). Activation is gated on presence of specific sentinel files (src/api/cicade.js, src/api/filmRefAudio.ts, src/api/market.js), indicating a targeted attack against a specific victim codebase. The package typosquats the legitimate vue-template-compiler (37M weekly downloads), falsely claiming the vuejs/vue GitHub repository.
**Trigger** (`postinstall`): executes `node ./postinstall-run.cjs` at install time.
**Sentinel gate**: `isAllowedConsumerProject()` in `tooling-bootstrap.cjs` checks `INIT_CWD` and ancestor directories for `update-version.js`, `src/api/cicade.js`, `src/api/filmRefAudio.ts`, or `src/api/market.js` — execution halts if none found.
**Payload decode**: `tooling-bootstrap.cjs` decodes an inline base64 array (`BOOTSTRAP_B64`) into `tooling-api-runtime.mjs` — a full C2 beacon agent.
**Persistence**: `dropArtifact()` writes the agent to `~/.gradle/daemon/tooling-api-runtime.mjs`; `forkBootstrapIfNeeded()` spawns it detached (`stdio:'ignore'`) so it persists after install exits. PID written to `~/.gradle/daemon/tooling-api-runtime.pid`.
**C2 registration**: agent POSTs hostname, username, OS type/release to `https://maiden-apply-looks-education.trycloudflare.com/api/register`.
**Task poll**: beacon loop polls `/api/task/<agent_id>` every 5s with jitter for commands.
**Capabilities**: `op=exec` — arbitrary shell via `cmd.exe`/`/bin/sh`; `op=download` — reads any file path and uploads to `/api/file/<agent_id>/<task_id>`; `op=ps` — returns process listing; results posted to `/api/result/<agent_id>`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | vue-template-compiler-plugin | 2.7.19 (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.