VDB

GCVE-110-OSM-2026-5109

GCVE-110-OSM-2026-5109
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 1, 2026
Exfiltrates system identity and CI environment variables to an attacker-controlled Cloudflare Workers endpoint when invoked via `npx workos-migrate`. Collects hostname, username, working directory, home directory, platform, architecture, memory, network interfaces, and CI tokens including GITHUB_ACTIONS, GITHUB_REPOSITORY, GITHUB_ACTOR, VERCEL, GITLAB_CI, JENKINS_URL, and CIRCLECI, then POSTs the payload as JSON to https://callback-monitor.cyb3rsh4ykh.workers.dev/c. Impersonates the legitimate WorkOS migration CLI tool. **Trigger**: bin entrypoint — exfiltration fires when the user runs `npx workos-migrate`; no install hook is present. **Collection (system info)**: reads `os.hostname()`, `os.userInfo().username`, `process.cwd()`, `os.homedir()`, `os.platform()`, `os.arch()`, `process.version`, `os.cpus().length`, `os.totalmem()`, `os.uptime()`, and `os.networkInterfaces()`. **Collection (CI env vars)**: reads `process.env.GITHUB_ACTIONS`, `process.env.GITHUB_REPOSITORY`, `process.env.GITHUB_ACTOR`, `process.env.VERCEL`, `process.env.VERCEL_ENV`, `process.env.GITLAB_CI`, `process.env.JENKINS_URL`, `process.env.CIRCLECI`, `process.env.CI`, `process.env.CONTINUOUS_INTEGRATION`. **Encoding**: all collected data serialized as JSON. **Exfiltration**: POSTs to literal constant `CALLBACK_URL = 'https://callback-monitor.cyb3rsh4ykh.workers.dev/c'` via `mod.request(CALLBACK_URL)` in `loaders/index.js`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownworkos-migrate1.0.0 (affected)

References

vendor

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›